Merge #101 Fix #88 - Reject SCM URLs which do not match the URL structure expected by pdc-updater.

2026-04-05 03:38:12 +08:00 · 2016-10-20 15:27:50 +00:00
parent f54b047f48 728eaf2277
commit a18ccf4f11
2 changed files with 27 additions and 4 deletions
--- a/rida/views.py
+++ b/rida/views.py
@@ -36,6 +36,7 @@ import rida.auth
 import rida.scm
 import shutil
 import tempfile
+import re
 from rida import app, conf, db, log
 from rida import models
 from rida.utils import pagination_metadata, filter_module_builds
@@ -92,8 +93,15 @@ class ModuleBuildAPI(MethodView):

        url = r["scmurl"]
        if not any(url.startswith(prefix) for prefix in conf.scmurls):
-            log.error('The submitted scmurl is not allowed')
-            raise Unauthorized("The submitted scmurl is not allowed")
+            log.error("The submitted scmurl %r is not allowed" % url)
+            raise Unauthorized("The submitted scmurl %s is not allowed" % url)
+
+        scmurl_re = re.compile(
+            r"(?P<giturl>(?:(?P<scheme>git)://(?P<host>[^/]+))?"
+            r"(?P<repopath>/[^\?]+))\?(?P<modpath>[^#]*)#(?P<revision>.+)")
+        if not scmurl_re.match(url):
+            log.error("The submitted scmurl %r is not valid" % url)
+            raise Unauthorized("The submitted scmurl %s is not valid" % url)

        yaml = ""
        td = None
--- a/tests/test_views/test_views.py
+++ b/tests/test_views/test_views.py
@@ -212,8 +212,23 @@ class TestViews(unittest.TestCase):
        rv = self.client.post('/rida/1/module-builds/', data=json.dumps(
            {'scmurl': 'git://badurl.com'}))
        data = json.loads(rv.data)
-        self.assertEquals(
-            data['message'], 'The submitted scmurl is not allowed')
+        self.assertEquals(data['message'], 'The submitted scmurl '
+            'git://badurl.com is not allowed')
+        self.assertEquals(data['status'], 401)
+        self.assertEquals(data['error'], 'Unauthorized')
+
+    @patch('rida.auth.get_username', return_value='Homer J. Simpson')
+    @patch('rida.auth.assert_is_packager')
+    def test_submit_build_scm_url_without_hash(self,
+                                               mocked_assert_is_packager,
+                                               mocked_get_username):
+        rv = self.client.post('/rida/1/module-builds/', data=json.dumps(
+            {'scmurl': 'git://pkgs.stg.fedoraproject.org/modules/'
+                'testmodule.git'}))
+        data = json.loads(rv.data)
+        self.assertEquals(data['message'], 'The submitted scmurl '
+            'git://pkgs.stg.fedoraproject.org/modules/testmodule.git '
+            'is not valid')
        self.assertEquals(data['status'], 401)
        self.assertEquals(data['error'], 'Unauthorized')