add check (#25)

* add_check

* fix

Author: Goalina

config.yml.example

@@ -1,8 +1,16 @@
-LFS_BUCKET: ***********
-CDN_DOMAIN: ***********
-OBS_REGION: ***********
-OBS_ACCESS_KEY_ID: ***********
-OBS_SECRET_ACCESS_KEY: ***********
-CLIENT_ID: ***********
-CLIENT_SECRET: ***********
-PATH_PREFIX: ***********
+{
+    "LFS_BUCKET": ***********
+    "CDN_DOMAIN": ***********
+    "OBS_REGION": ***********
+    "OBS_ACCESS_KEY_ID": ***********
+    "OBS_SECRET_ACCESS_KEY": ***********
+    "CLIENT_ID": ***********
+    "CLIENT_SECRET": ***********
+    "PATH_PREFIX": ***********
+    "VALIDATE_REGEXP": {
+        "OWNER_REGEXP": "^[a-zA-Z]([-_.]?[a-zA-Z0-9]+)*$",
+        "REPONAME_REGEXP": "^[a-zA-Z0-9_.-]{1,189}[a-zA-Z0-9]$",
+        "USERNAME_REGEXP": "^[a-zA-Z]([-_.]?[a-zA-Z0-9]+)*$",
+        "PASSWORD_REGEXP": "^[a-zA-Z0-9!@_#$%^&*()\\-=+,?.,]*$"
+    }
+}

config/config.go

@@ -7,14 +7,22 @@ import (
 )
 
 type Config struct {
-	Prefix             string `json:"PATH_PREFIX"`
-	LfsBucket          string `json:"LFS_BUCKET"`
-	ClientId           string `json:"CLIENT_ID"`
-	ClientSecret       string `json:"CLIENT_SECRET"`
-	CdnDomain          string `json:"CDN_DOMAIN"`
-	ObsRegion          string `json:"OBS_REGION"`
-	ObsAccessKeyId     string `json:"OBS_ACCESS_KEY_ID"`
-	ObsSecretAccessKey string `json:"OBS_SECRET_ACCESS_KEY"`
+	Prefix             string         `json:"PATH_PREFIX"`
+	LfsBucket          string         `json:"LFS_BUCKET"`
+	ClientId           string         `json:"CLIENT_ID"`
+	ClientSecret       string         `json:"CLIENT_SECRET"`
+	CdnDomain          string         `json:"CDN_DOMAIN"`
+	ObsRegion          string         `json:"OBS_REGION"`
+	ObsAccessKeyId     string         `json:"OBS_ACCESS_KEY_ID"`
+	ObsSecretAccessKey string         `json:"OBS_SECRET_ACCESS_KEY"`
+	ValidateConfig     ValidateConfig `json:"VALIDATE_REGEXP"`
+}
+
+type ValidateConfig struct {
+	OwnerRegexp    string `json:"OWNER_REGEXP"         required:"true"`
+	RepoNameRegexp string `json:"REPONAME_REGEXP"         required:"true"`
+	UsernameRegexp string `json:"USERNAME_REGEXP"         required:"true"`
+	PasswordRegexp string `json:"PASSWORD_REGEXP"         required:"true"`
 }
 
 // LoadConfig loads the configuration file from the specified path and deletes the file if needed

main.go

@@ -88,6 +88,12 @@ func main() {
 		return
 	}
 
+	if err := server.Init(cfg.ValidateConfig); err != nil {
+		logrus.Errorf("load ValidateConfig, err:%s", err.Error())
+
+		return
+	}
+
 	if err := auth.Init(cfg); err != nil {
 		logrus.Errorf("load gitee config, err:%s", err.Error())
 

server/server.go

@@ -132,6 +132,15 @@ func (s *server) handleBatch(w http.ResponseWriter, r *http.Request) {
 	userInRepo.Operation = req.Operation
 	userInRepo.Owner = chi.URLParam(r, "owner")
 	userInRepo.Repo = chi.URLParam(r, "repo")
+
+	if !validatecfg.ownerRegexp.MatchString(userInRepo.Owner) || !validatecfg.reponameRegexp.MatchString(userInRepo.Repo) {
+		w.WriteHeader(http.StatusBadRequest)
+		must(json.NewEncoder(w).Encode(batch.ErrorResponse{
+			Message: "invalid owner or reponame format",
+		}))
+		return
+	}
+
 	if err = auth.CheckRepoOwner(userInRepo); req.Operation == "upload" || err != nil {
 		err := s.dealWithAuthError(userInRepo, w, r)
 		if err != nil {
@@ -170,6 +179,15 @@ func (s *server) dealWithAuthError(userInRepo auth.UserInRepo, w http.ResponseWr
 	if username, password, ok := r.BasicAuth(); ok {
 		userInRepo.Username = username
 		userInRepo.Password = password
+
+		if !validatecfg.usernameRegexp.MatchString(userInRepo.Username) ||
+			!validatecfg.passwordRegexp.MatchString(userInRepo.Password) {
+			w.WriteHeader(http.StatusBadRequest)
+			must(json.NewEncoder(w).Encode(batch.ErrorResponse{
+				Message: "invalid username or password format",
+			}))
+			return errors.New("invalid username or password format")
+		}
 		err = s.isAuthorized(userInRepo)
 	} else {
 		err = errors.New("unauthorized: cannot get password")
@@ -190,6 +208,7 @@ func (s *server) dealWithAuthError(userInRepo auth.UserInRepo, w http.ResponseWr
 		}))
 		return err
 	}
+
 	return nil
 }
 

server/validate.go

@@ -0,0 +1,41 @@
+package server
+
+import (
+	"fmt"
+	"github.com/metalogical/BigFiles/config"
+	"regexp"
+)
+
+type validateConfig struct {
+	ownerRegexp    *regexp.Regexp
+	reponameRegexp *regexp.Regexp
+	usernameRegexp *regexp.Regexp
+	passwordRegexp *regexp.Regexp
+}
+
+var validatecfg validateConfig
+
+func Init(cfg config.ValidateConfig) error {
+	var err error
+	validatecfg.ownerRegexp, err = regexp.Compile(cfg.OwnerRegexp)
+	if err != nil {
+		return fmt.Errorf("failed to compile owner regexp: %w", err)
+	}
+
+	validatecfg.reponameRegexp, err = regexp.Compile(cfg.RepoNameRegexp)
+	if err != nil {
+		return fmt.Errorf("failed to compile repo name regexp: %w", err)
+	}
+
+	validatecfg.usernameRegexp, err = regexp.Compile(cfg.UsernameRegexp)
+	if err != nil {
+		return fmt.Errorf("failed to compile username regexp: %w", err)
+	}
+
+	validatecfg.passwordRegexp, err = regexp.Compile(cfg.PasswordRegexp)
+	if err != nil {
+		return fmt.Errorf("failed to compile password regexp: %w", err)
+	}
+
+	return nil
+}