fix: validate remote regex patterns at write time
ci/woodpecker/pr/test Pipeline was successful
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/build Pipeline was successful

compilePatterns silently drops any pattern that fails to compile, so a
mistyped blocklist entry became a no-op (fail-open). Reject invalid
patterns when a remote is created or updated via Remote.ValidatePatterns,
returning 400 instead of storing a rule that never matches.

Refs #72
This commit is contained in:
2026-07-02 00:32:16 +10:00
parent 8d9bc1c422
commit 65c8281348
3 changed files with 52 additions and 0 deletions
+8
View File
@@ -69,6 +69,10 @@ func (h *RemotesHandler) create(w http.ResponseWriter, r *http.Request) {
http.Error(w, "base_url is required for remote repositories", http.StatusBadRequest)
return
}
if err := remote.ValidatePatterns(); err != nil {
http.Error(w, err.Error(), http.StatusBadRequest)
return
}
if err := h.db.CreateRemote(r.Context(), &remote); err != nil {
http.Error(w, err.Error(), http.StatusInternalServerError)
return
@@ -84,6 +88,10 @@ func (h *RemotesHandler) update(w http.ResponseWriter, r *http.Request) {
return
}
remote.Name = name
if err := remote.ValidatePatterns(); err != nil {
http.Error(w, err.Error(), http.StatusBadRequest)
return
}
if err := h.db.UpdateRemote(r.Context(), &remote); err != nil {
http.Error(w, err.Error(), http.StatusInternalServerError)
return