SECURITY: Improve theme git import (#12694)

2025-02-25 18:55:32 -06:00 · 2021-04-14 15:32:47 +01:00
parent 0afcf9e12e
commit 9430185493
3 changed files with 19 additions and 1 deletions
--- a/lib/theme_store/git_importer.rb
+++ b/lib/theme_store/git_importer.rb
@@ -25,7 +25,16 @@ class ThemeStore::GitImporter
    end
    if version = Discourse.find_compatible_git_resource(@temp_folder)
      Discourse::Utils.execute_command(chdir: @temp_folder) do |runner|
-        return runner.exec("git cat-file -e #{version} || git fetch --depth 1 $(git rev-parse --symbolic-full-name @{upstream} | awk -F '/' '{print $3}') #{version}; git reset --hard #{version}")
+        begin
+          runner.exec "git", "cat-file", "-e", version
+        rescue RuntimeError => e
+          tracking_ref = runner.exec "git", "rev-parse", "--abbrev-ref", "--symbolic-full-name", "@{upstream}"
+          remote_name = tracking_ref.split("/", 2)[0]
+          runner.exec "git", "fetch", "--depth", "1", remote_name, "#{version}:#{version}"
+        end
+        runner.exec "git", "reset", "--hard", version
+      rescue RuntimeError
+        raise RemoteTheme::ImportError.new(I18n.t("themes.import_error.git_ref_not_found", ref: version))
      end
    end
  end