oops

zeripath · zeripath · commit 63715dde8455 · 2022-09-03T09:20:32.000+01:00
Signed-off-by: Andrew Thornton &lt;art27@cantab.net&gt;
diff --git a/services/migrations/common.go b/services/migrations/common.go
@@ -26,7 +26,7 @@ func hasBaseURL(toCheck, baseURL string) bool {
 	if len(baseURL) > 0 && baseURL[len(baseURL)-1] != '/' {
 		baseURL += "/"
 	}
-	return strings.HasPrefix(toCheck, baseURL+"/")
+	return strings.HasPrefix(toCheck, baseURL)
 }
 
 // CheckAndEnsureSafePR will check that a give PR is safe
@@ -35,15 +35,15 @@ func CheckAndEnsureSafePR(pr *base.PullRequest, commonCloneBaseURL string, g bas
 	// SECURITY: the patchURL must be checked to have the same baseURL as the current to prevent open redirect
 	if pr.PatchURL != "" && !hasBaseURL(pr.PatchURL, commonCloneBaseURL) {
 		// TODO: Should we check that this url has the expected format for a patch url?
-		WarnAndNotice("PR #%d in %s has invalid PatchURL: %s", pr.Number, g, pr.PatchURL)
+		WarnAndNotice("PR #%d in %s has invalid PatchURL: %s baseURL: %s", pr.Number, g, pr.PatchURL, commonCloneBaseURL)
 		pr.PatchURL = ""
 		valid = false
 	}
 
 	// SECURITY: the headCloneURL must be checked to have the same baseURL as the current to prevent open redirect
 	if pr.Head.CloneURL != "" && !hasBaseURL(pr.Head.CloneURL, commonCloneBaseURL) {
 		// TODO: Should we check that this url has the expected format for a patch url?
-		WarnAndNotice("PR #%d in %s has invalid HeadCloneURL: %s", pr.Number, g, pr.Head.CloneURL)
+		WarnAndNotice("PR #%d in %s has invalid HeadCloneURL: %s baseURL: %s", pr.Number, g, pr.Head.CloneURL, commonCloneBaseURL)
 		pr.Head.CloneURL = ""
 		valid = false
 	}

Original file line number	Diff line number	Diff line change
`@@ -26,7 +26,7 @@ func hasBaseURL(toCheck, baseURL string) bool {`
`26`	`26`	`if len(baseURL) > 0 && baseURL[len(baseURL)-1] != '/' {`
`27`	`27`	`baseURL += "/"`
`28`	`28`	`}`
`29`		`- return strings.HasPrefix(toCheck, baseURL+"/")`
	`29`	`+ return strings.HasPrefix(toCheck, baseURL)`
`30`	`30`	`}`
`31`	`31`
`32`	`32`	`// CheckAndEnsureSafePR will check that a give PR is safe`
`@@ -35,15 +35,15 @@ func CheckAndEnsureSafePR(pr *base.PullRequest, commonCloneBaseURL string, g bas`
`35`	`35`	`// SECURITY: the patchURL must be checked to have the same baseURL as the current to prevent open redirect`
`36`	`36`	`if pr.PatchURL != "" && !hasBaseURL(pr.PatchURL, commonCloneBaseURL) {`
`37`	`37`	`// TODO: Should we check that this url has the expected format for a patch url?`
`38`		`- WarnAndNotice("PR #%d in %s has invalid PatchURL: %s", pr.Number, g, pr.PatchURL)`
	`38`	`+ WarnAndNotice("PR #%d in %s has invalid PatchURL: %s baseURL: %s", pr.Number, g, pr.PatchURL, commonCloneBaseURL)`
`39`	`39`	`pr.PatchURL = ""`
`40`	`40`	`valid = false`
`41`	`41`	`}`
`42`	`42`
`43`	`43`	`// SECURITY: the headCloneURL must be checked to have the same baseURL as the current to prevent open redirect`
`44`	`44`	`if pr.Head.CloneURL != "" && !hasBaseURL(pr.Head.CloneURL, commonCloneBaseURL) {`
`45`	`45`	`// TODO: Should we check that this url has the expected format for a patch url?`
`46`		`- WarnAndNotice("PR #%d in %s has invalid HeadCloneURL: %s", pr.Number, g, pr.Head.CloneURL)`
	`46`	`+ WarnAndNotice("PR #%d in %s has invalid HeadCloneURL: %s baseURL: %s", pr.Number, g, pr.Head.CloneURL, commonCloneBaseURL)`
`47`	`47`	`pr.Head.CloneURL = ""`
`48`	`48`	`valid = false`
`49`	`49`	`}`