Merge branch 'release/2.3.2'

CHANGELOG.md

@@ -1,3 +1,10 @@
+# v2.3.2
+## 06/03/2021
+
+1. [](#bugfix)
+   * Better validation for Git Repository value on both Wizard and Backend. 
+   * Prevent malicious commands from being executed in Wizard when "Verifying Authentication, Connection and Branch".
+
 # v2.3.1
 ## 04/30/2021
 

app/wizard/index.js

@@ -5,6 +5,7 @@ import { config } from 'grav-config';
 import $ from 'jquery';
 import 'whatwg-fetch';
 
+const GIT_REGEX = /(?:git|ssh|https?|git@[-\w.]+):(\/\/)?(.*?)(\.git)(\/?|\#[-\d\w._]+?)$/;
 const WIZARD = $('[data-remodal-id="wizard"]');
 const RESET_LOCAL = $('[data-remodal-id="reset-local"]');
 const SERVICES = { 'github': 'github.com', 'bitbucket': 'bitbucket.org', 'gitlab': 'gitlab.com', 'allothers': 'allothers.repo' };
@@ -252,9 +253,16 @@ $(document).on('change', '[name="gitsync[repository]"]', () => {
 $(document).on('input', '[name="gitsync[repo_url]"]', (event) => {
     const target = $(event.currentTarget);
     const value = target.val();
+    const isGitURL = GIT_REGEX.test(value);
     const next = WIZARD.find('[data-gitsync-action="next"]');
 
-    if (value.length) {
+    target.removeClass('invalid');
+
+    if (!isGitURL) {
+        target.addClass('invalid');
+    }
+
+    if (isGitURL && value.length) {
         enableButton(next);
     } else {
         disableButton(next);

blueprints.yaml

@@ -1,7 +1,7 @@
 name: Git Sync
 type: plugin
 slug: git-sync
-version: 2.3.1
+version: 2.3.2
 description: Allows to synchronize portions of Grav with Git Repositories (GitHub, BitBucket, GitLab)
 icon: git
 author:
@@ -62,7 +62,7 @@ form:
       underline: true
 
     SyncNotice:
-      type: spacer
+      type: hidden
       markdown: true
       text: |
         ! To improve the speed of saving pages you can disable automatic sync. Then, changes to a page will not be sent to the remote repository on every save. To sync your changes to the repository tap the GitSync button (<i class="fa fa-git"></i>) in the top left of the Administration Panel, or use the below Scheduler option to add the GitSync Syncronization Job to the Scheduler (<strong>Grav 1.6 required</strong>).

classes/GitSync.php

@@ -4,6 +4,7 @@
 use Grav\Common\Grav;
 use Grav\Common\Plugin;
 use Grav\Common\Utils;
+use http\Exception\RuntimeException;
 use RocketTheme\Toolbox\File\File;
 use SebastianBergmann\Git\Git;
 
@@ -115,6 +116,10 @@ public function getRuntimeInformation()
      */
     public function testRepository($url, $branch)
     {
+        if (!preg_match(Helper::GIT_REGEX, $url)) {
+            throw new \RuntimeException("Git Repository value does not match the supported format.");
+        }
+
         $branch = $branch ? '"' . $branch . '"' : '';
         return $this->execute("ls-remote \"{$url}\" {$branch}");
     }

classes/Helper.php

@@ -13,6 +13,9 @@ class Helper
     /** @var string */
     private static $hash = '594ef69d-6c29-45f7-893a-f1b4342687d3';
 
+    /** @var string */
+    const GIT_REGEX = '/(?:git|ssh|https?|git@[-\w.]+):(\/\/)?(.*?)(\.git)(\/?|\#[-\d\w._]+?)$/';
+
     /**
      * Checks if the user/ folder is already initialized
      *

package.json

@@ -19,26 +19,26 @@
   },
   "homepage": "https://github.com/trilbymedia/grav-plugin-git-sync#readme",
   "devDependencies": {
-    "@babel/core": "^7.13.15",
+    "@babel/core": "^7.14.3",
     "@babel/plugin-proposal-class-properties": "^7.13.0",
-    "@babel/plugin-proposal-json-strings": "^7.13.8",
-    "@babel/plugin-proposal-object-rest-spread": "^7.13.8",
+    "@babel/plugin-proposal-json-strings": "^7.14.2",
+    "@babel/plugin-proposal-object-rest-spread": "^7.14.4",
     "@babel/plugin-syntax-dynamic-import": "^7.8.3",
     "@babel/plugin-syntax-import-meta": "^7.10.4",
-    "@babel/polyfill": "^7.11.5",
-    "@babel/preset-env": "^7.13.15",
+    "@babel/polyfill": "^7.12.1",
+    "@babel/preset-env": "^7.14.4",
     "babel-eslint": "^10.1.0",
     "babel-loader": "^8.2.2",
-    "css-loader": "^5.2.2",
-    "eslint": "^7.24.0",
+    "css-loader": "^5.2.6",
+    "eslint": "^7.27.0",
     "eslint-loader": "^4.0.2",
-    "exports-loader": "^2.0.0",
-    "imports-loader": "^2.0.0",
+    "exports-loader": "^3.0.0",
+    "imports-loader": "^3.0.0",
     "json-loader": "^0.5.7",
     "style-loader": "^2.0.0",
     "uglifyjs-webpack-plugin": "^2.2.0",
-    "webpack": "^5.33.2",
-    "webpack-cli": "^4.6.0",
+    "webpack": "^5.38.1",
+    "webpack-cli": "^4.7.0",
     "whatwg-fetch": "^3.6.2"
   }
 }

scss/plugin/_wizard.scss

@@ -66,6 +66,11 @@
     border-color: #ddd;
   }
 
+  input.invalid {
+    border-color: #f4516d;
+    color: #f4516d;
+  }
+
   label {
     &.disabled {
       color: #ccc;

templates/partials/modal-wizard.html.twig

@@ -167,7 +167,7 @@
                     </li>
                     <li>Once you have made your repository, copy the full HTTPS URL and paste it into the box below.
                         <ul>
-                            <li>Most services offer both SSH and HTTPS addresses, <strong>but only HTTPS is supported at this time</strong>.</li>
+                            <li>Most services offer both SSH and HTTPS addresses, <strong>HTTPS is the recommended method.</strong>.</li>
                         </ul>
                     </li>
                 </ol>
@@ -202,7 +202,7 @@
 
             <p>
                 <label>
-                    Git Repository (<strong>HTTPS only</strong>)
+                    Git Repository
 
                     <input type="text" name="gitsync[repo_url]" placeholder="https://github.com/getgrav/grav.git" value="{{ settings.repository|default('') }}" />
                 </label>