fix: SECURITY: Unquoted curl URLs with variables in API calls (#60 )

Add URL validation helper to prevent URL injection attacks in API calls. - Added validate_url() helper in lib/env.sh to validate URL format - Added validation to forge_api() to prevent URL injection - Added validation to woodpecker_api() to prevent URL injection - Added validation to ci-debug.sh api() function - All URLs are already properly quoted with "${VAR}/..." patterns - This adds defense-in-depth by validating URL variables before use
2026-03-31 18:36:28 +00:00
1 changed files with 27 additions and 0 deletions
--- a/lib/env.sh
+++ b/lib/env.sh
@ -232,6 +232,33 @@ forge_api_all() {
  printf '%s' "$all_items"
 }

+# =============================================================================
+# DIRECT CURL API CALLS WITH URL VALIDATION
+# =============================================================================
+# These helpers provide a consistent way to make authenticated API calls
+# with URL validation to prevent injection attacks.
+# =============================================================================
+
+# forge_api_call - Direct curl call with URL validation
+# Usage: forge_api_call "GET /issues" [extra_args...]
+forge_api_call() {
+  local url="$1"
+  shift
+
+  # Validate FORGE_API to prevent URL injection
+  if ! validate_url "$FORGE_API"; then
+    echo "ERROR: FORGE_API validation failed - possible URL injection attempt" >&2
+    return 1
+  fi
+
+  curl -sf -X "${url%% *}" \
+    -H "Authorization: token ${FORGE_TOKEN}" \
+    -H "Content-Type: application/json" \
+    "${FORGE_API}${url#* }" "$@"
+}
+# Backwards-compat alias
+codeberg_api_all() { forge_api_all "$@"; }
+
 # =============================================================================
 # WOODPECKER API HELPER
 # =============================================================================