Verify git checkout path is in site directory

QuLogic · QuLogic · commit e90358e1f454 · 2022-03-09T19:58:44.000-05:00
This is unlikely, as we verify inputs come from GitHub using signatures,
but it's best to be safe about this.
diff --git a/test_webhook.py b/test_webhook.py
@@ -121,6 +121,14 @@ async def test_github_webhook_errors(aiohttp_client, monkeypatch):
     assert resp.status == 400
     assert 'incorrect repository' in await resp.text()
 
+    # Fields provided, but invalid.
+    resp = await client.post(
+        '/gh/non-existent-repo', headers=valid_headers,
+        data='{"sender": {"login": "QuLogic"}, "repository":'
+             ' {"name": "..", "owner": {"login": "matplotlib"}}}')
+    assert resp.status == 400
+    assert 'incorrect repository' in await resp.text()
+
     # Problem on our side.
     resp = await client.post(
         '/gh/non-existent',
diff --git a/webhook.py b/webhook.py
@@ -156,7 +156,12 @@ async def github_webhook(request: web.Request):
                  delivery, ref, expected_branch)
         return web.Response(status=200)
 
-    checkout = Path(os.environ.get('SITE_DIR', 'sites'), repository)
+    site_dir = Path(os.environ.get('SITE_DIR', 'sites')).resolve()
+    checkout = (site_dir / repository).resolve()
+    if not checkout.is_relative_to(site_dir):
+        raise web.HTTPBadRequest(
+            reason=(f'{delivery}: Checkout for {organization}/{repository} '
+                    'does not exist'))
     if not (checkout / '.git').is_dir():
         raise web.HTTPInternalServerError(
             reason=(f'{delivery}: Checkout for {organization}/{repository} '
