Verify git checkout path is in site directory

QuLogic · QuLogic · commit 080a29cc2571 · 2022-03-09T16:31:10.000-05:00
This is unlikely, as we verify inputs come from GitHub using signatures,
but it's best to be safe about this.
diff --git a/webhook.py b/webhook.py
@@ -156,8 +156,10 @@ async def github_webhook(request: web.Request):
                  delivery, ref, expected_branch)
         return web.Response(status=200)
 
-    checkout = Path(os.environ.get('SITE_DIR', 'sites'), repository)
-    if not (checkout / '.git').is_dir():
+    site_dir = Path(os.environ.get('SITE_DIR', 'sites'))
+    checkout = (site_dir / repository).resolve()
+    if (not checkout.is_relative_to(site_dir) or
+            not (checkout / '.git').is_dir()):
         raise web.HTTPInternalServerError(
             reason=(f'{delivery}: Checkout for {organization}/{repository} '
                     'does not exist'))
