Add validation constraints for repository creation fields (#36671)

Adds validation constraints to repository creation inputs, enforcing max-length limits for labels/license/readme and enum validation for trust model and object format. Updates both the API option struct and the web form struct to keep validation consistent.
2026-02-26 23:03:20 +01:00 · 2026-02-25 08:28:39 -08:00 · 2026-02-25 08:28:39 -08:00 · 569c49debe
commit 569c49debe
parent 577ed107dd
4 changed files with 12 additions and 9 deletions
--- a/modules/structs/repo.go
+++ b/modules/structs/repo.go
@ -135,7 +135,7 @@ type CreateRepoOption struct {
 	// Whether the repository is private
 	Private bool `json:"private"`
 	// Label-Set to use
-	IssueLabels string `json:"issue_labels"`
+	IssueLabels string `json:"issue_labels" binding:"MaxSize(255)"`
 	// Whether the repository should be auto-initialized?
 	AutoInit bool `json:"auto_init"`
 	// Whether the repository is template
@ -143,15 +143,15 @@ type CreateRepoOption struct {
 	// Gitignores to use
 	Gitignores string `json:"gitignores"`
 	// License to use
-	License string `json:"license"`
+	License string `json:"license" binding:"MaxSize(100)"`
 	// Readme of the repository to create
-	Readme string `json:"readme"`
+	Readme string `json:"readme" binding:"MaxSize(255)"`
 	// DefaultBranch of the repository (used when initializes and in template)
 	DefaultBranch string `json:"default_branch" binding:"GitRefName;MaxSize(100)"`
 	// TrustModel of the repository
 	// enum: default,collaborator,committer,collaboratorcommitter
 	TrustModel string `json:"trust_model"`
-	// ObjectFormatName of the underlying git repository
+	// ObjectFormatName of the underlying git repository, empty string for default (sha1)
 	// enum: sha1,sha256
 	ObjectFormatName string `json:"object_format_name" binding:"MaxSize(6)"`
 }
--- a/services/forms/repo_form.go
+++ b/services/forms/repo_form.go
@ -27,9 +27,9 @@ type CreateRepoForm struct {
 	DefaultBranch string `binding:"GitRefName;MaxSize(100)"`
 	AutoInit      bool
 	Gitignores    string
-	IssueLabels   string
-	License       string
-	Readme        string
+	IssueLabels   string `binding:"MaxSize(255)"`
+	License       string `binding:"MaxSize(100)"`
+	Readme        string `binding:"MaxSize(255)"`
 	Template      bool

 	RepoTemplate    int64
@ -41,7 +41,7 @@ type CreateRepoForm struct {
 	Labels          bool
 	ProtectedBranch bool

-	ForkSingleBranch string
+	ForkSingleBranch string `binding:"MaxSize(255)"`
 	ObjectFormatName string
 }

--- a/services/repository/create.go
+++ b/services/repository/create.go
@ -230,6 +230,9 @@ func CreateRepositoryDirectly(ctx context.Context, doer, owner *user_model.User,
 	if opts.ObjectFormatName == "" {
 		opts.ObjectFormatName = git.Sha1ObjectFormat.Name()
 	}
+	if opts.ObjectFormatName != git.Sha1ObjectFormat.Name() && opts.ObjectFormatName != git.Sha256ObjectFormat.Name() {
+		return nil, fmt.Errorf("unsupported object format: %s", opts.ObjectFormatName)
+	}

 	repo := &repo_model.Repository{
 		OwnerID:                         owner.ID,
--- a/templates/swagger/v1_json.tmpl
+++ b/templates/swagger/v1_json.tmpl
@ -23780,7 +23780,7 @@
          "x-go-name": "Name"
        },
        "object_format_name": {
-          "description": "ObjectFormatName of the underlying git repository",
+          "description": "ObjectFormatName of the underlying git repository, empty string for default (sha1)",
          "type": "string",
          "enum": [
            "sha1",