Add repo name check to V2

Fixes #592
2015-10-05 14:19:52 -04:00 · 2015-10-05 14:19:52 -04:00 · f393236c9f
commit f393236c9f
parent 16c0d19934
3 changed files with 17 additions and 4 deletions
--- a/endpoints/v2/v2auth.py
+++ b/endpoints/v2/v2auth.py
@ -17,10 +17,9 @@ from auth.permissions import (ModifyRepositoryPermission, ReadRepositoryPermissi
                              CreateRepositoryPermission)
 from endpoints.v2 import v2_bp
 from util.cache import no_cache
-from util.names import parse_namespace_repository
+from util.names import parse_namespace_repository, REPOSITORY_NAME_REGEX
 from endpoints.decorators import anon_protect

-
 logger = logging.getLogger(__name__)


@ -73,6 +72,11 @@ def generate_registry_jwt():
    actions = match.group(2).split(',')

    namespace, reponame = parse_namespace_repository(namespace_and_repo)
+
+    # Ensure that we are never creating an invalid repository.
+    if not REPOSITORY_NAME_REGEX.match(reponame):
+      abort(400)
+
    if 'pull' in actions and 'push' in actions:
      if user is None:
        abort(401)