3 files changed,
7 insertions(+),
2 deletions(-)
Author:
Oleksandr Smirnov
olexsmir@gmail.com
Committed at:
2026-04-30 16:09:53 +0300
Authored at:
2026-04-30 16:08:15 +0300
Change ID:
qmqtzxotovntnmwmyqrqrwymluzxorvz
Parent:
2c8d7d2
M
internal/ssh/ssh.go
路路路 103 103 104 104 func (s *Shell) parseCommand(cmd string) (gitCmd, repoName string, err error) { 105 105 cmdParts := strings.Fields(cmd) 106 - if len(cmdParts) < 2 { 106 + if len(cmdParts) != 2 { 107 107 return "", "", fmt.Errorf("invalid command: expected 'git-cmd repo', got %q", cmd) 108 108 } 109 109 110 110 gitCmd = cmdParts[0] 111 111 if !validCommands[gitCmd] { 112 - return "", "", fmt.Errorf("invalid command: disallowd command") 112 + return "", "", fmt.Errorf("invalid command: disallowed command") 113 113 } 114 114 115 115 repoName = strings.Trim(cmdParts[1], "'\"")
M
internal/ssh/ssh_test.go
路路路 58 58 {"git-upload-archive 'archive-repo'", "git-upload-archive", "archive-repo", ""}, 59 59 {"git-upload-pack", "", "", "invalid command"}, 60 60 {"git-upload-pack ''", "", "", "empty repository name"}, 61 + {"git-receive-pack repo.git && echo hi", "", "", "invalid command"}, 61 62 {"echo hi", "", "", "invalid command"}, 62 63 {"", "", "", "invalid command"}, 63 64 }
M
testscript/ssh-push.txtar
路路路 42 42 ! exec $SSH_WRAPPER ignored 'echo hi' 43 43 stderr 'access denied:' 44 44 45 +# should not accept command chaining after git command 46 +! exec $SSH_WRAPPER ignored 'git-receive-pack auto-init.git && echo hi' 47 +stderr 'access denied: invalid command' 48 + 45 49 46 50 -- file.txt -- 47 51 hello from ssh