Skip to content

Commit 20a7daf

Browse files
Check that the repo ID hasn't changed to prevent repo-jacking
1 parent 9e34e90 commit 20a7daf

File tree

1 file changed

+9
-2
lines changed

1 file changed

+9
-2
lines changed

src/Controller/ApiController.php

Lines changed: 9 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -556,8 +556,15 @@ protected function findGitHubPackagesByRepository(string $path, string $remoteId
556556
}
557557

558558
foreach ($packages as $package) {
559-
if ($remoteId && !$package->getRemoteId()) {
560-
$package->setRemoteId($remoteId);
559+
if ($remoteId) {
560+
$actualRemoteId = $package->getRemoteId();
561+
if ($actualRemoteId) {
562+
if ($actualRemoteId !== $remoteId) {
563+
throw new BadRequestHttpException('The remoteId of the repo URL '.$path.' has changed from '.$remoteId.' to '.$actualRemoteId);
564+
}
565+
} else {
566+
$package->setRemoteId($remoteId);
567+
}
561568
}
562569
}
563570

0 commit comments

Comments
 (0)