Skip to content

Commit 46b3a67

Browse files
andypolsandypols
committed
fix: prevent DOS when checking an unknown repo
1 parent b7b67a5 commit 46b3a67

File tree

2 files changed

+58
-6
lines changed

2 files changed

+58
-6
lines changed

src/db/mongo/repo.ts

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -79,19 +79,19 @@ export const deleteRepo = async (name: string) => {
7979
export const isUserPushAllowed = async (name: string, user: string) => {
8080
name = name.toLowerCase();
8181
user = user.toLowerCase();
82+
console.log(`checking if user ${user} can push to ${name}`);
8283
return new Promise(async (resolve) => {
8384
const repo = await exports.getRepo(name);
84-
console.log(repo.users.canPush);
85-
console.log(repo.users.canAuthorise);
86-
87-
if (repo.users.canPush.includes(user) || repo.users.canAuthorise.includes(user)) {
88-
resolve(true);
89-
} else {
85+
if( !repo ) {
86+
console.log(`repo ${name} not found`);
9087
resolve(false);
88+
return;
9189
}
90+
resolve(repo.users.canPush.includes(user) || repo.users.canAuthorise.includes(user));
9291
});
9392
};
9493

94+
// not used in the codebase, but kept for compatibility
9595
export const canUserApproveRejectPushRepo = async (name: string, user: string) => {
9696
name = name.toLowerCase();
9797
user = user.toLowerCase();

test/db/mongo/repo.test.js

Lines changed: 52 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,52 @@
1+
const chai = require('chai');
2+
const sinon = require('sinon');
3+
const repoModule = require('../../../src/db/mongo/repo');
4+
5+
const { expect } = chai;
6+
7+
describe('mongo repo', () => {
8+
afterEach(() => {
9+
sinon.restore();
10+
});
11+
12+
describe('isUserPushAllowed', () => {
13+
it('returns true if user is in canPush', async () => {
14+
sinon.stub(repoModule, 'getRepo').resolves({
15+
users: {
16+
canPush: ['alice'],
17+
canAuthorise: [],
18+
},
19+
});
20+
const result = await repoModule.isUserPushAllowed('myrepo', 'alice');
21+
expect(result).to.be.true;
22+
});
23+
24+
it('returns true if user is in canAuthorise', async () => {
25+
sinon.stub(repoModule, 'getRepo').resolves({
26+
users: {
27+
canPush: [],
28+
canAuthorise: ['bob'],
29+
},
30+
});
31+
const result = await repoModule.isUserPushAllowed('myrepo', 'bob');
32+
expect(result).to.be.true;
33+
});
34+
35+
it('returns false if user is in neither', async () => {
36+
sinon.stub(repoModule, 'getRepo').resolves({
37+
users: {
38+
canPush: [],
39+
canAuthorise: [],
40+
},
41+
});
42+
const result = await repoModule.isUserPushAllowed('myrepo', 'charlie');
43+
expect(result).to.be.false;
44+
});
45+
46+
it('returns false if repo is not registered', async () => {
47+
sinon.stub(repoModule, 'getRepo').resolves(null);
48+
const result = await repoModule.isUserPushAllowed('myrepo', 'charlie');
49+
expect(result).to.be.false;
50+
});
51+
});
52+
});

0 commit comments

Comments
 (0)