Verify git checkout path is in site directory

QuLogic · QuLogic · commit c3b7a7a7a799 · 2022-03-09T17:02:37.000-05:00
This is unlikely, as we verify inputs come from GitHub using signatures,
but it's best to be safe about this.
diff --git a/webhook.py b/webhook.py
@@ -156,9 +156,14 @@ async def github_webhook(request: web.Request):
                  delivery, ref, expected_branch)
         return web.Response(status=200)
 
-    checkout = Path(os.environ.get('SITE_DIR', 'sites'), repository)
+    site_dir = Path(os.environ.get('SITE_DIR', 'sites'))
+    checkout = (site_dir / repository).resolve()
+    if not checkout.is_relative_to(site_dir):
+        raise web.HTTPBadRequest(
+            reason=(f'{delivery}: Checkout for {organization}/{repository} '
+                    'does not exist'))
     if not (checkout / '.git').is_dir():
-        raise web.HTTPInternalServerError(
+        raise web.HTTPBadRequest(
             reason=(f'{delivery}: Checkout for {organization}/{repository} '
                     'does not exist'))
     task = asyncio.create_task(
