fix(security): harden repository URL checks

Author: KristjanESPERANTO

pipeline/workers/process-module.ts

@@ -1,5 +1,6 @@
 import { ensureDirectory, fileExists } from "../../scripts/shared/fs-utils.ts";
 import { ensureRepository, getCommitDate } from "../../scripts/shared/git.ts";
+import { isRepositoryType } from "../../scripts/updateRepositoryApiData/helpers.ts";
 import { rename, rm } from "node:fs/promises";
 import { execFile } from "node:child_process";
 import { buildModuleAnalysisCacheKey } from "../../scripts/shared/module-analysis-cache.ts";
@@ -912,7 +913,7 @@ async function enrichModule(module: ModuleInput, config: ProcessModuleConfig): P
   }
 
   // Check GitHub issues
-  if (module.url.includes("github.com") && module.hasGithubIssues === false) {
+  if (isRepositoryType(module.url, "github") && module.hasGithubIssues === false) {
     enrichIssues.push("Issues are not enabled in the GitHub repository. So users cannot report bugs. Please enable issues in your repo.");
   }
 

scripts/check-modules/remote-sha.ts

@@ -8,6 +8,7 @@
 import { buildAuthHeadersFromEnv, createHttpClient } from "../shared/http-client.ts";
 import { createLogger } from "../shared/logger.ts";
 import { createRateLimiter } from "../shared/rate-limiter.ts";
+import { getRepositoryType } from "../updateRepositoryApiData/helpers.ts";
 
 interface RepoCoordinates {
   owner: string;
@@ -263,24 +264,17 @@ export async function getRemoteCommitSha(url: string, branch = "master"): Promis
     return null;
   }
 
-  // Try each platform
-  if (url.includes("github.com")) {
-    return await getGitHubCommitSha(url, branch);
-  }
-
-  if (url.includes("gitlab.com")) {
-    return await getGitLabCommitSha(url, branch);
-  }
-
-  if (url.includes("bitbucket.org")) {
-    return await getBitbucketCommitSha(url, branch);
-  }
-
-  if (url.includes("codeberg.org")) {
-    return await getCodebergCommitSha(url, branch);
+  switch (getRepositoryType(url)) {
+    case "github":
+      return await getGitHubCommitSha(url, branch);
+    case "gitlab":
+      return await getGitLabCommitSha(url, branch);
+    case "bitbucket":
+      return await getBitbucketCommitSha(url, branch);
+    case "codeberg":
+      return await getCodebergCommitSha(url, branch);
+    default:
+      logger.debug(`Unsupported platform for URL: ${url}`);
+      return null;
   }
-
-  // Unsupported platform - caller must clone
-  logger.debug(`Unsupported platform for URL: ${url}`);
-  return null;
 }

scripts/collect-metadata/__tests__/parser.test.js

@@ -46,4 +46,18 @@ describe("collect-metadata/parser", () => {
     assert.strictEqual(modules.length, 0);
     assert.strictEqual(issues.length, 0); // Google.com doesn't match repo patterns, so line is ignored
   });
+
+  it("should parse markdown links without regex backtracking", () => {
+    const markdown = `
+### Utilities
+| [MMM-Title](https://github.com/example/MMM-Title "Repo Title") | [Example User](https://github.com/example) | Description |
+`;
+    const { modules, issues } = parseModuleList(markdown);
+
+    assert.strictEqual(issues.length, 0);
+    assert.strictEqual(modules.length, 1);
+    assert.strictEqual(modules[0].name, "MMM-Title");
+    assert.strictEqual(modules[0].url, "https://github.com/example/MMM-Title");
+    assert.strictEqual(modules[0].maintainer, "Example User");
+  });
 });

scripts/collect-metadata/parser.ts

@@ -55,6 +55,25 @@ function stripUrlTitle(url: string): string {
   return url.substring(0, urlTitleStart);
 }
 
+function parseMarkdownLink(cell: string): { text: string; url: string } | null {
+  const textStart = cell.indexOf("[");
+  const textEnd = cell.indexOf("]", textStart + 1);
+  const urlStart = cell.indexOf("(", textEnd + 1);
+  const urlEnd = cell.indexOf(")", urlStart + 1);
+
+  if (textStart === -1 || textEnd === -1 || urlStart === -1 || urlEnd === -1) {
+    return null;
+  }
+
+  const text = cell.slice(textStart + 1, textEnd).trim();
+  const url = stripUrlTitle(cell.slice(urlStart + 1, urlEnd).trim());
+  if (!text || !url) {
+    return null;
+  }
+
+  return { text, url };
+}
+
 function parseModuleRow(line: string, category: string, issues: string[]): ParsedModuleEntry | null {
   if (!isRepositoryRow(line)) {
     return null;
@@ -66,21 +85,21 @@ function parseModuleRow(line: string, category: string, issues: string[]): Parse
   }
 
   const repoCell = parts[1];
-  const repoMatch = repoCell.match(/\[(.*?)\]\((.*?)\)/u);
-  if (!repoMatch) {
+  const repoLink = parseMarkdownLink(repoCell);
+  if (!repoLink) {
     return null;
   }
 
-  const name = repoMatch[1].trim();
-  const url = stripUrlTitle(repoMatch[2].trim());
+  const name = repoLink.text;
+  const url = repoLink.url;
   const maintainerCell = parts[2] || "";
   const description = parts[3] || "";
   const outdatedInfo = parts[4] ? parts[4].trim() : "";
 
   let maintainer = maintainerCell;
-  const maintainerMatch = maintainerCell.match(/\[(.*?)\]\((.*?)\)/u);
-  if (maintainerMatch) {
-    maintainer = maintainerMatch[1].trim();
+  const maintainerLink = parseMarkdownLink(maintainerCell);
+  if (maintainerLink) {
+    maintainer = maintainerLink.text;
   }
 
   const repoType = getRepositoryType(url);

scripts/updateRepositoryApiData/__tests__/helpers.test.js

@@ -0,0 +1,23 @@
+import { describe, it } from "node:test";
+import { getRepositoryId, getRepositoryType, isRepositoryType } from "../helpers.ts";
+import assert from "node:assert";
+
+describe("updateRepositoryApiData/helpers", () => {
+  it("detects supported repository hosts by exact hostname", () => {
+    assert.strictEqual(getRepositoryType("https://github.com/user/MMM-Test"), "github");
+    assert.strictEqual(getRepositoryType("https://gitlab.com/group/MMM-Test"), "gitlab");
+    assert.strictEqual(getRepositoryType("https://bitbucket.org/team/MMM-Test"), "bitbucket");
+    assert.strictEqual(getRepositoryType("https://codeberg.org/user/MMM-Test"), "codeberg");
+  });
+
+  it("rejects deceptive hostnames that only contain the trusted domain as a substring", () => {
+    assert.strictEqual(getRepositoryType("https://github.com.evil.example/user/MMM-Test"), "unknown");
+    assert.strictEqual(getRepositoryType("https://evil.example/github.com/user/MMM-Test"), "unknown");
+    assert.strictEqual(isRepositoryType("https://github.com.evil.example/user/MMM-Test", "github"), false);
+  });
+
+  it("extracts repository ids from normalized repository urls", () => {
+    assert.strictEqual(getRepositoryId("git+https://github.com/user/MMM-Test.git"), "user/MMM-Test");
+    assert.strictEqual(getRepositoryId("https://github.com/user/MMM-Test/"), "user/MMM-Test");
+  });
+});

scripts/updateRepositoryApiData/helpers.ts

@@ -59,36 +59,67 @@ export interface PartitionModulesResult<TModule extends RepositoryModuleLike> {
   processedCount: number;
 }
 
-export function getRepositoryType(url: string): RepositoryType {
-  if (url.includes("github.com")) {
-    return "github";
+const REPOSITORY_HOSTS: ReadonlyMap<string, Exclude<RepositoryType, "unknown">> = new Map([
+  ["github.com", "github"],
+  ["www.github.com", "github"],
+  ["gitlab.com", "gitlab"],
+  ["www.gitlab.com", "gitlab"],
+  ["bitbucket.org", "bitbucket"],
+  ["www.bitbucket.org", "bitbucket"],
+  ["codeberg.org", "codeberg"],
+  ["www.codeberg.org", "codeberg"]
+]);
+
+function normalizeRepositoryUrl(url: string): string {
+  return url.startsWith("git+https://") || url.startsWith("git+http://")
+    ? url.slice(4)
+    : url;
+}
+
+function parseRepositoryUrl(url: string): URL | null {
+  try {
+    return new URL(normalizeRepositoryUrl(url));
   }
-  if (url.includes("gitlab.com")) {
-    return "gitlab";
+  catch {
+    return null;
   }
-  if (url.includes("bitbucket.org")) {
-    return "bitbucket";
+}
+
+function getRepositoryUrlParts(url: string): { pathParts: string[]; type: Exclude<RepositoryType, "unknown"> } | null {
+  const parsedUrl = parseRepositoryUrl(url);
+  if (!parsedUrl) {
+    return null;
   }
-  if (url.includes("codeberg.org")) {
-    return "codeberg";
+
+  const type = REPOSITORY_HOSTS.get(parsedUrl.hostname.toLowerCase());
+  if (!type) {
+    return null;
   }
-  return "unknown";
+
+  const rawPathParts = parsedUrl.pathname.split("/").filter(Boolean);
+  const pathParts = rawPathParts.map((part, index) =>
+    index === rawPathParts.length - 1 ? part.replace(/\.git$/u, "") : part
+  );
+
+  return { type, pathParts };
+}
+
+export function getRepositoryType(url: string): RepositoryType {
+  return getRepositoryUrlParts(url)?.type ?? "unknown";
 }
 
 export function getRepositoryId(url: string): string | null {
-  const urlParts = url.split("/");
-  const hostIndex = urlParts.findIndex(part =>
-    part.includes("github.com")
-    || part.includes("gitlab.com")
-    || part.includes("bitbucket.org")
-    || part.includes("codeberg.org"));
-
-  if (hostIndex !== -1 && urlParts.length > hostIndex + 2) {
-    return `${urlParts[hostIndex + 1]}/${urlParts[hostIndex + 2]}`;
+  const repositoryUrlParts = getRepositoryUrlParts(url);
+  if (repositoryUrlParts && repositoryUrlParts.pathParts.length >= 2) {
+    return `${repositoryUrlParts.pathParts[0]}/${repositoryUrlParts.pathParts[1]}`;
   }
   return null;
 }
 
+export function isRepositoryType(url: string, repositoryType: Exclude<RepositoryType, "unknown">): boolean {
+  return getRepositoryUrlParts(url)?.type === repositoryType;
+}
+
 export function sortModuleListByLastUpdate<TModule extends RepositoryModuleLike>(previousData: PreviousRepositoryData, moduleList: TModule[]): void {
   moduleList.sort((a, b) => {
     const lastUpdateA = previousData.repositories?.find(repo => repo.id === a.id)?.gitHubDataLastUpdate;