Skip to content

Commit

Permalink
Check that the repo ID hasn't changed to prevent repo-jacking
Browse files Browse the repository at this point in the history
  • Loading branch information
@kevinbackhouse
kevinbackhouse committed Nov 15, 2023
1 parent 9e34e90 commit 20a7daf
Showing 1 changed file with 9 additions and 2 deletions.
11 changes: 9 additions & 2 deletions src/Controller/ApiController.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -556,8 +556,15 @@ protected function findGitHubPackagesByRepository(string $path, string $remoteId
}

foreach ($packages as $package) {
if ($remoteId && !$package->getRemoteId()) {
$package->setRemoteId($remoteId);
if ($remoteId) {
$actualRemoteId = $package->getRemoteId();
if ($actualRemoteId) {
if ($actualRemoteId !== $remoteId) {
throw new BadRequestHttpException('The remoteId of the repo URL '.$path.' has changed from '.$remoteId.' to '.$actualRemoteId);
}
} else {
$package->setRemoteId($remoteId);
}
}
}

Expand Down

0 comments on commit 20a7daf

Please sign in to comment.