Check that the repo ID hasn't changed to prevent repo-jacking

kevinbackhouse · kevinbackhouse · commit 20a7daf25d7b · 2023-11-15T12:19:00.000Z
diff --git a/src/Controller/ApiController.php b/src/Controller/ApiController.php
@@ -556,8 +556,15 @@ protected function findGitHubPackagesByRepository(string $path, string $remoteId
         }
 
         foreach ($packages as $package) {
-            if ($remoteId && !$package->getRemoteId()) {
-                $package->setRemoteId($remoteId);
+            if ($remoteId) {
+                $actualRemoteId = $package->getRemoteId();
+                if ($actualRemoteId) {
+                    if ($actualRemoteId !== $remoteId) {
+                        throw new BadRequestHttpException('The remoteId of the repo URL '.$path.' has changed from '.$remoteId.' to '.$actualRemoteId);
+                    }
+                } else {
+                    $package->setRemoteId($remoteId);
+                }
             }
         }
 

Original file line number	Diff line number	Diff line change
`@@ -556,8 +556,15 @@ protected function findGitHubPackagesByRepository(string $path, string $remoteId`
`556`	`556`	`}`
`557`	`557`
`558`	`558`	`foreach ($packages as $package) {`
`559`		`- if ($remoteId && !$package->getRemoteId()) {`
`560`		`- $package->setRemoteId($remoteId);`
	`559`	`+ if ($remoteId) {`
	`560`	`+ $actualRemoteId = $package->getRemoteId();`
	`561`	`+ if ($actualRemoteId) {`
	`562`	`+ if ($actualRemoteId !== $remoteId) {`
	`563`	`+ throw new BadRequestHttpException('The remoteId of the repo URL '.$path.' has changed from '.$remoteId.' to '.$actualRemoteId);`
	`564`	`+ }`
	`565`	`+ } else {`
	`566`	`+ $package->setRemoteId($remoteId);`
	`567`	`+ }`
`561`	`568`	`}`
`562`	`569`	`}`
`563`	`570`