From 728eaf227741c1f68da9c212e74864b3b9aa90d6 Mon Sep 17 00:00:00 2001
From: Jan Kaluza <jkaluza@redhat.com>
Date: Wed, 19 Oct 2016 15:16:52 +0200
Subject: [PATCH] Fix #88 - Reject SCM URLs which do not match the URL
 structure expected by pdc-updater.

---
 rida/views.py                  | 12 ++++++++++--
 tests/test_views/test_views.py | 19 +++++++++++++++++--
 2 files changed, 27 insertions(+), 4 deletions(-)

diff --git a/rida/views.py b/rida/views.py
index 54fcc0ab..a73738c9 100644
--- a/rida/views.py
+++ b/rida/views.py
@@ -36,6 +36,7 @@ import rida.auth
 import rida.scm
 import shutil
 import tempfile
+import re
 from rida import app, conf, db, log
 from rida import models
 from rida.utils import pagination_metadata, filter_module_builds
@@ -92,8 +93,15 @@ class ModuleBuildAPI(MethodView):
 
         url = r["scmurl"]
         if not any(url.startswith(prefix) for prefix in conf.scmurls):
-            log.error('The submitted scmurl is not allowed')
-            raise Unauthorized("The submitted scmurl is not allowed")
+            log.error("The submitted scmurl %r is not allowed" % url)
+            raise Unauthorized("The submitted scmurl %s is not allowed" % url)
+
+        scmurl_re = re.compile(
+            r"(?P<giturl>(?:(?P<scheme>git)://(?P<host>[^/]+))?"
+            r"(?P<repopath>/[^\?]+))\?(?P<modpath>[^#]*)#(?P<revision>.+)")
+        if not scmurl_re.match(url):
+            log.error("The submitted scmurl %r is not valid" % url)
+            raise Unauthorized("The submitted scmurl %s is not valid" % url)
 
         yaml = ""
         td = None
diff --git a/tests/test_views/test_views.py b/tests/test_views/test_views.py
index 8a0c2040..097fffd3 100644
--- a/tests/test_views/test_views.py
+++ b/tests/test_views/test_views.py
@@ -212,8 +212,23 @@ class TestViews(unittest.TestCase):
         rv = self.client.post('/rida/1/module-builds/', data=json.dumps(
             {'scmurl': 'git://badurl.com'}))
         data = json.loads(rv.data)
-        self.assertEquals(
-            data['message'], 'The submitted scmurl is not allowed')
+        self.assertEquals(data['message'], 'The submitted scmurl '
+            'git://badurl.com is not allowed')
+        self.assertEquals(data['status'], 401)
+        self.assertEquals(data['error'], 'Unauthorized')
+
+    @patch('rida.auth.get_username', return_value='Homer J. Simpson')
+    @patch('rida.auth.assert_is_packager')
+    def test_submit_build_scm_url_without_hash(self,
+                                               mocked_assert_is_packager,
+                                               mocked_get_username):
+        rv = self.client.post('/rida/1/module-builds/', data=json.dumps(
+            {'scmurl': 'git://pkgs.stg.fedoraproject.org/modules/'
+                'testmodule.git'}))
+        data = json.loads(rv.data)
+        self.assertEquals(data['message'], 'The submitted scmurl '
+            'git://pkgs.stg.fedoraproject.org/modules/testmodule.git '
+            'is not valid')
         self.assertEquals(data['status'], 401)
         self.assertEquals(data['error'], 'Unauthorized')