diff options
Diffstat (limited to 'src/git/authorization.rs')
| -rw-r--r-- | src/git/authorization.rs | 18 |
1 files changed, 16 insertions, 2 deletions
diff --git a/src/git/authorization.rs b/src/git/authorization.rs index 1be3de9..bb3bd01 100644 --- a/src/git/authorization.rs +++ b/src/git/authorization.rs | |||
| @@ -29,7 +29,7 @@ | |||
| 29 | 29 | ||
| 30 | use anyhow::{anyhow, Result}; | 30 | use anyhow::{anyhow, Result}; |
| 31 | use nostr_relay_builder::prelude::*; | 31 | use nostr_relay_builder::prelude::*; |
| 32 | use nostr_sdk::ToBech32; | 32 | use nostr_sdk::{EventId, ToBech32}; |
| 33 | use std::collections::{HashMap, HashSet}; | 33 | use std::collections::{HashMap, HashSet}; |
| 34 | use std::sync::Arc; | 34 | use std::sync::Arc; |
| 35 | use tracing::debug; | 35 | use tracing::debug; |
| @@ -647,7 +647,21 @@ pub fn validate_push_refs( | |||
| 647 | 647 | ||
| 648 | // refs/nostr/* is handled separately per GRASP-01 | 648 | // refs/nostr/* is handled separately per GRASP-01 |
| 649 | if ref_name.starts_with("refs/nostr/") { | 649 | if ref_name.starts_with("refs/nostr/") { |
| 650 | debug!("refs/nostr/ push will be validated separately"); | 650 | // Extract event_id from "refs/nostr/<event-id>" |
| 651 | if let Some(event_id_str) = ref_name.strip_prefix("refs/nostr/") { | ||
| 652 | // Validate it parses as a valid EventId | ||
| 653 | if EventId::parse(event_id_str).is_err() { | ||
| 654 | return Err(anyhow!( | ||
| 655 | "Invalid event ID format in ref: {}. Expected valid nostr event ID.", | ||
| 656 | ref_name | ||
| 657 | )); | ||
| 658 | } | ||
| 659 | // Valid EventId format - allow push (skip state event check) | ||
| 660 | debug!("refs/nostr/{} push authorized (valid EventId)", event_id_str); | ||
| 661 | continue; // Skip the rest of ref validation for this ref | ||
| 662 | } else { | ||
| 663 | return Err(anyhow!("Invalid refs/nostr/ format: {}", ref_name)); | ||
| 664 | } | ||
| 651 | } | 665 | } |
| 652 | } | 666 | } |
| 653 | 667 | ||