repo: validate Git server hook name for editing (#8103)

2026-01-27 09:39:18 +01:00 · 2026-01-23 09:40:36 -05:00
parent 9e70cdf437
commit 4dc0a99919
1 changed files with 23 additions and 4 deletions
--- a/internal/route/repo/setting.go
+++ b/internal/route/repo/setting.go
@@ -582,13 +582,27 @@ func SettingsGitHooks(c *context.Context) {
 	c.Success(SETTINGS_GITHOOKS)
 }

+func isValidHookName(name git.HookName) bool {
+	for _, h := range git.ServerSideHooks {
+		if h == name {
+			return true
+		}
+	}
+	return false
+}
+
 func SettingsGitHooksEdit(c *context.Context) {
 	c.Data["Title"] = c.Tr("repo.settings.githooks")
 	c.Data["PageIsSettingsGitHooks"] = true
 	c.Data["RequireSimpleMDE"] = true

-	name := c.Params(":name")
-	hook, err := c.Repo.GitRepo.Hook("custom_hooks", git.HookName(name))
+	name := git.HookName(c.Params(":name"))
+	if !isValidHookName(name) {
+		c.NotFound()
+		return
+	}
+
+	hook, err := c.Repo.GitRepo.Hook("custom_hooks", name)
 	if err != nil {
 		c.NotFoundOrError(osutil.NewError(err), "get hook")
 		return
@@ -598,8 +612,13 @@ func SettingsGitHooksEdit(c *context.Context) {
 }

 func SettingsGitHooksEditPost(c *context.Context) {
-	name := c.Params(":name")
-	hook, err := c.Repo.GitRepo.Hook("custom_hooks", git.HookName(name))
+	name := git.HookName(c.Params(":name"))
+	if !isValidHookName(name) {
+		c.NotFound()
+		return
+	}
+
+	hook, err := c.Repo.GitRepo.Hook("custom_hooks", name)
 	if err != nil {
 		c.NotFoundOrError(osutil.NewError(err), "get hook")
 		return