git-serve: check update hook permissions

Verify that the update hook exists and is executable before running Git to prevent from broken repositories when permissions are broken. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2025-02-03 10:43:03 +01:00 · 2019-11-23 11:13:36 -05:00 · 2019-11-23 11:13:36 -05:00 · 771ced3236
commit 771ced3236
parent 86e4cd0731
2 changed files with 9 additions and 0 deletions
--- a/aurweb/exceptions.py
+++ b/aurweb/exceptions.py
@ -16,6 +16,12 @@ class PermissionDeniedException(AurwebException):
        super(PermissionDeniedException, self).__init__(msg)


+class BrokenUpdateHookException(AurwebException):
+    def __init__(self, cmd):
+        msg = 'broken update hook: {:s}'.format(cmd)
+        super(BrokenUpdateHookException, self).__init__(msg)
+
+
 class InvalidUserException(AurwebException):
    def __init__(self, user):
        msg = 'unknown user: {:s}'.format(user)
--- a/aurweb/git/serve.py
+++ b/aurweb/git/serve.py
@ -496,6 +496,9 @@ def serve(action, cmdargv, user, privileged, remote_addr):
            if not privileged and not pkgbase_has_write_access(pkgbase, user):
                raise aurweb.exceptions.PermissionDeniedException(user)

+        if not os.access(git_update_cmd, os.R_OK | os.X_OK):
+            raise aurweb.exceptions.BrokenUpdateHookException(git_update_cmd)
+
        os.environ["AUR_USER"] = user
        os.environ["AUR_PKGBASE"] = pkgbase
        os.environ["GIT_NAMESPACE"] = pkgbase