You've already forked agentic-coding-workflow
git 逻辑
This commit is contained in:
@@ -37,13 +37,27 @@ func ValidateBranch(b string) error {
|
||||
return nil
|
||||
}
|
||||
|
||||
// ValidateRemoteURL 检查 scheme 白名单。
|
||||
// ValidateRemoteURL 检查 scheme 白名单,并拒绝 scheme:// 形式中内嵌的 userinfo(凭据)。
|
||||
func ValidateRemoteURL(u string) error {
|
||||
switch {
|
||||
case strings.HasPrefix(u, "https://"),
|
||||
strings.HasPrefix(u, "http://"),
|
||||
strings.HasPrefix(u, "ssh://"),
|
||||
strings.HasPrefix(u, "git@"):
|
||||
strings.HasPrefix(u, "ssh://"):
|
||||
// 拒绝 scheme://user:pass@host 形式的内嵌凭据:内嵌凭据会绕过本系统凭据
|
||||
// 存储并短路数据库 PAT。注意 ssh://git@host 这类裸用户名(无 ":" 密码)是
|
||||
// 合法 SSH 形式,仅当 userinfo 中带 ":" 密码时才判定为内嵌凭据。
|
||||
rest := u[strings.Index(u, "://")+len("://"):]
|
||||
authority := rest
|
||||
if i := strings.IndexByte(rest, '/'); i >= 0 {
|
||||
authority = rest[:i]
|
||||
}
|
||||
if at := strings.IndexByte(authority, '@'); at >= 0 {
|
||||
if strings.ContainsRune(authority[:at], ':') {
|
||||
return errors.New("git_remote_url must not contain embedded credentials")
|
||||
}
|
||||
}
|
||||
return nil
|
||||
case strings.HasPrefix(u, "git@"):
|
||||
return nil
|
||||
}
|
||||
return errors.New("git_remote_url must be https/http/ssh/git@ scheme")
|
||||
|
||||
Reference in New Issue
Block a user