Prevent http git urls from including username/pword

2025-03-01 10:36:34 +00:00 · 2018-02-02 22:43:29 +00:00
parent fc1436a96d
commit d1f7fd8bfd
5 changed files with 54 additions and 6 deletions
--- a/red/api/editor/projects/index.js
+++ b/red/api/editor/projects/index.js
@@ -501,6 +501,10 @@ module.exports = {
        // Add a remote
        app.post("/:id/remotes", needsPermission("projects.write"), function(req,res) {
            var projectName = req.params.id;
+            if (/^https?:\/\/[^/]+@/i.test(req.body.url)) {
+                res.status(400).json({error:"unexpected_error", message:"Git http url must not include username/password"});
+                return;
+            }
            runtime.storage.projects.addRemote(req.user, projectName, req.body).then(function() {
                res.redirect(303,req.baseUrl+"/"+projectName+"/remotes");
            }).catch(function(err) {
--- a/red/runtime/storage/localfilesystem/projects/git/index.js
+++ b/red/runtime/storage/localfilesystem/projects/git/index.js
@@ -69,6 +69,8 @@ function runGitCommand(args,cwd,env) {
                    err.code = "git_not_a_repository";
                } else if (/Repository not found/i.test(stderr)) {
                    err.code = "git_repository_not_found";
+                } else if (/repository '.*' does not exist/i.test(stderr)) {
+                    err.code = "git_repository_not_found";
                } else if (/refusing to merge unrelated histories/.test(stderr)) {
                    err.code = "git_pull_unrelated_history"
                }