diff --git a/lib/ci-debug.sh b/lib/ci-debug.sh index 4fa15ba..dd8a0a5 100755 --- a/lib/ci-debug.sh +++ b/lib/ci-debug.sh @@ -17,6 +17,11 @@ REPO="${FORGE_REPO}" API="${WOODPECKER_SERVER}/api/repos/${WOODPECKER_REPO_ID}" api() { + # Validate API URL to prevent URL injection + if ! validate_url "$API"; then + echo "ERROR: API URL validation failed - possible URL injection attempt" >&2 + return 1 + fi curl -sf -H "Authorization: Bearer ${WOODPECKER_TOKEN}" "${API}/$1" } diff --git a/lib/env.sh b/lib/env.sh index cfaa523..f37cb1a 100755 --- a/lib/env.sh +++ b/lib/env.sh @@ -144,10 +144,62 @@ log() { printf '[%s] %s\n' "$(date -u '+%Y-%m-%d %H:%M:%S UTC')" "$*" } -# Forge API helper — usage: forge_api GET /issues?state=open +# ============================================================================= +# URL VALIDATION HELPER +# ============================================================================= +# Validates that a URL variable matches expected patterns to prevent +# URL injection or redirection attacks (OWASP URL Redirection prevention). +# Returns 0 if valid, 1 if invalid. +# ============================================================================= +validate_url() { + local url="$1" + local allowed_hosts="${2:-}" + + # Must start with http:// or https:// + if [[ ! "$url" =~ ^https?:// ]]; then + return 1 + fi + + # Extract host and reject if it contains @ (credential injection) + if [[ "$url" =~ ^https?://[^@]+@ ]]; then + return 1 + fi + + # If allowed_hosts is specified, validate against it + if [ -n "$allowed_hosts" ]; then + local host + host=$(echo "$url" | sed -E 's|^https?://([^/:]+).*|\1|') + local valid=false + for allowed in $allowed_hosts; do + if [ "$host" = "$allowed" ]; then + valid=true + break + fi + done + if [ "$valid" = false ]; then + return 1 + fi + fi + + return 0 +} + +# ============================================================================= +# FORGE API HELPER +# ============================================================================= +# Usage: forge_api GET /issues?state=open +# Validates FORGE_API before use to prevent URL injection attacks. +# ============================================================================= forge_api() { local method="$1" path="$2" shift 2 + + # Validate FORGE_API to prevent URL injection + if ! validate_url "$FORGE_API"; then + echo "ERROR: FORGE_API validation failed - possible URL injection attempt" >&2 + return 1 + fi + curl -sf -X "$method" \ -H "Authorization: token ${FORGE_TOKEN}" \ -H "Content-Type: application/json" \ @@ -179,13 +231,50 @@ forge_api_all() { done printf '%s' "$all_items" } + +# ============================================================================= +# DIRECT CURL API CALLS WITH URL VALIDATION +# ============================================================================= +# These helpers provide a consistent way to make authenticated API calls +# with URL validation to prevent injection attacks. +# ============================================================================= + +# forge_api_call - Direct curl call with URL validation +# Usage: forge_api_call "GET /issues" [extra_args...] +forge_api_call() { + local url="$1" + shift + + # Validate FORGE_API to prevent URL injection + if ! validate_url "$FORGE_API"; then + echo "ERROR: FORGE_API validation failed - possible URL injection attempt" >&2 + return 1 + fi + + curl -sf -X "${url%% *}" \ + -H "Authorization: token ${FORGE_TOKEN}" \ + -H "Content-Type: application/json" \ + "${FORGE_API}${url#* }" "$@" +} # Backwards-compat alias codeberg_api_all() { forge_api_all "$@"; } -# Woodpecker API helper +# ============================================================================= +# WOODPECKER API HELPER +# ============================================================================= +# Usage: woodpecker_api /repos/{id}/pipelines +# Validates WOODPECKER_SERVER before use to prevent URL injection attacks. +# ============================================================================= woodpecker_api() { local path="$1" shift + + # Validate WOODPECKER_SERVER to prevent URL injection + if ! validate_url "$WOODPECKER_SERVER"; then + echo "ERROR: WOODPECKER_SERVER validation failed - possible URL injection attempt" >&2 + return 1 + fi + curl -sfL \ -H "Authorization: Bearer ${WOODPECKER_TOKEN}" \ "${WOODPECKER_SERVER}/api${path}" "$@"