Merge pull request #1095 from andypols/fix-dos-when-pushing-unkown-repo

kriswest · web-flow · commit 11ec0cae5dd0 · 2025-09-02T09:57:14.000+01:00
fix: prevent DOS when checking an unknown repo
diff --git a/test/db/db.test.js b/test/db/db.test.js
@@ -0,0 +1,52 @@
+const chai = require('chai');
+const sinon = require('sinon');
+const db = require('../../src/db');
+
+const { expect } = chai;
+
+describe('db', () => {
+  afterEach(() => {
+    sinon.restore();
+  });
+
+  describe('isUserPushAllowed', () => {
+    it('returns true if user is in canPush', async () => {
+      sinon.stub(db, 'getRepoByUrl').resolves({
+        users: {
+          canPush: ['alice'],
+          canAuthorise: [],
+        },
+      });
+      const result = await db.isUserPushAllowed('myrepo', 'alice');
+      expect(result).to.be.true;
+    });
+
+    it('returns true if user is in canAuthorise', async () => {
+      sinon.stub(db, 'getRepoByUrl').resolves({
+        users: {
+          canPush: [],
+          canAuthorise: ['bob'],
+        },
+      });
+      const result = await db.isUserPushAllowed('myrepo', 'bob');
+      expect(result).to.be.true;
+    });
+
+    it('returns false if user is in neither', async () => {
+      sinon.stub(db, 'getRepoByUrl').resolves({
+        users: {
+          canPush: [],
+          canAuthorise: [],
+        },
+      });
+      const result = await db.isUserPushAllowed('myrepo', 'charlie');
+      expect(result).to.be.false;
+    });
+
+    it('returns false if repo is not registered', async () => {
+      sinon.stub(db, 'getRepoByUrl').resolves(null);
+      const result = await db.isUserPushAllowed('myrepo', 'charlie');
+      expect(result).to.be.false;
+    });
+  });
+});
