fix: enforce ISO 8601 validation for date query parameters

- Add validation for 'since' and 'until' parameters to ensure they follow ISO 8601 (RFC3339) format, returning an error if invalid

Signed-off-by: Bo-Yi Wu <[email protected]>

Author: appleboy

routers/api/v1/repo/commits.go

@@ -8,6 +8,7 @@ import (
 	"math"
 	"net/http"
 	"strconv"
+	"time"
 
 	issues_model "code.gitea.io/gitea/models/issues"
 	user_model "code.gitea.io/gitea/models/user"
@@ -161,6 +162,20 @@ func GetAllCommits(ctx *context.APIContext) {
 	since := ctx.FormString("since")
 	until := ctx.FormString("until")
 
+	// Validate since/until as ISO 8601 (RFC3339)
+	if since != "" {
+		if _, err := time.Parse(time.RFC3339, since); err != nil {
+			ctx.APIError(http.StatusUnprocessableEntity, "invalid 'since' format, expected ISO 8601 (RFC3339)")
+			return
+		}
+	}
+	if until != "" {
+		if _, err := time.Parse(time.RFC3339, until); err != nil {
+			ctx.APIError(http.StatusUnprocessableEntity, "invalid 'until' format, expected ISO 8601 (RFC3339)")
+			return
+		}
+	}
+
 	if ctx.Repo.Repository.IsEmpty {
 		ctx.JSON(http.StatusConflict, api.APIError{
 			Message: "Git Repository is empty.",