From 569c49debe06f30a2bbb50b3812e705c556b8adf Mon Sep 17 00:00:00 2001 From: Lunny Xiao Date: Wed, 25 Feb 2026 08:28:39 -0800 Subject: [PATCH] Add validation constraints for repository creation fields (#36671) Adds validation constraints to repository creation inputs, enforcing max-length limits for labels/license/readme and enum validation for trust model and object format. Updates both the API option struct and the web form struct to keep validation consistent. --- modules/structs/repo.go | 8 ++++---- services/forms/repo_form.go | 8 ++++---- services/repository/create.go | 3 +++ templates/swagger/v1_json.tmpl | 2 +- 4 files changed, 12 insertions(+), 9 deletions(-) diff --git a/modules/structs/repo.go b/modules/structs/repo.go index 765546a5aa..a08cf36037 100644 --- a/modules/structs/repo.go +++ b/modules/structs/repo.go @@ -135,7 +135,7 @@ type CreateRepoOption struct { // Whether the repository is private Private bool `json:"private"` // Label-Set to use - IssueLabels string `json:"issue_labels"` + IssueLabels string `json:"issue_labels" binding:"MaxSize(255)"` // Whether the repository should be auto-initialized? AutoInit bool `json:"auto_init"` // Whether the repository is template @@ -143,15 +143,15 @@ type CreateRepoOption struct { // Gitignores to use Gitignores string `json:"gitignores"` // License to use - License string `json:"license"` + License string `json:"license" binding:"MaxSize(100)"` // Readme of the repository to create - Readme string `json:"readme"` + Readme string `json:"readme" binding:"MaxSize(255)"` // DefaultBranch of the repository (used when initializes and in template) DefaultBranch string `json:"default_branch" binding:"GitRefName;MaxSize(100)"` // TrustModel of the repository // enum: default,collaborator,committer,collaboratorcommitter TrustModel string `json:"trust_model"` - // ObjectFormatName of the underlying git repository + // ObjectFormatName of the underlying git repository, empty string for default (sha1) // enum: sha1,sha256 ObjectFormatName string `json:"object_format_name" binding:"MaxSize(6)"` } diff --git a/services/forms/repo_form.go b/services/forms/repo_form.go index 765a723968..8b69c6bcc6 100644 --- a/services/forms/repo_form.go +++ b/services/forms/repo_form.go @@ -27,9 +27,9 @@ type CreateRepoForm struct { DefaultBranch string `binding:"GitRefName;MaxSize(100)"` AutoInit bool Gitignores string - IssueLabels string - License string - Readme string + IssueLabels string `binding:"MaxSize(255)"` + License string `binding:"MaxSize(100)"` + Readme string `binding:"MaxSize(255)"` Template bool RepoTemplate int64 @@ -41,7 +41,7 @@ type CreateRepoForm struct { Labels bool ProtectedBranch bool - ForkSingleBranch string + ForkSingleBranch string `binding:"MaxSize(255)"` ObjectFormatName string } diff --git a/services/repository/create.go b/services/repository/create.go index cbdc9cca76..e027d3b979 100644 --- a/services/repository/create.go +++ b/services/repository/create.go @@ -230,6 +230,9 @@ func CreateRepositoryDirectly(ctx context.Context, doer, owner *user_model.User, if opts.ObjectFormatName == "" { opts.ObjectFormatName = git.Sha1ObjectFormat.Name() } + if opts.ObjectFormatName != git.Sha1ObjectFormat.Name() && opts.ObjectFormatName != git.Sha256ObjectFormat.Name() { + return nil, fmt.Errorf("unsupported object format: %s", opts.ObjectFormatName) + } repo := &repo_model.Repository{ OwnerID: owner.ID, diff --git a/templates/swagger/v1_json.tmpl b/templates/swagger/v1_json.tmpl index 570747ca57..a1ecc7fb4f 100644 --- a/templates/swagger/v1_json.tmpl +++ b/templates/swagger/v1_json.tmpl @@ -23780,7 +23780,7 @@ "x-go-name": "Name" }, "object_format_name": { - "description": "ObjectFormatName of the underlying git repository", + "description": "ObjectFormatName of the underlying git repository, empty string for default (sha1)", "type": "string", "enum": [ "sha1",