BUG: invalid user|org / project name

[nelsonic]

Took a quick pomodoro break and looked at the Hits homepage: https://hits.dwyl.com

Noticed that there are still strange entries, e.g:

Fri, 11 Mar 2022 10:45:02 /' | remove_first: 'http:/' }}{{ page.url }}.svg 3618

What even is that? 🤷‍♂️

Then there are the more innocuous but still incorrect ones:

Fri, 11 Mar 2022 10:43:12 /{mikel-brostrom}/{Yolov5_DeepSort_Pytorch}.svg 3562
Fri, 11 Mar 2022 10:06:13 /{cemac}/{SWIFTDB}.svg 22

I think we need to be more strict and actually reject requests that have invalid user|org or repo ... 💭
We should create a new badge e.g:

https://img.shields.io/badge/hits-invalid%20url-red?style=flat-square

Todo

• Write tests that attempt to request an invalid url using the samples above
  • Should return the "invalid url" badge
• Implement the fix
• Publish new version

[SimonLab]

username rules:

[nelsonic]

Indeed some form validation would go a long way.
but people are always going to do URL manipulation so we need some server side validation of requested SVGs. 💭

[SimonLab]

• Create username regex (see BUG: invalid user|org / project name #154 (comment) for regex rule) to validate the the user param
• Create repo regex to validate the repository name (alphanumeric with "-" "_" and "." characters allowed see https://stackoverflow.com/questions/59081778/rules-for-special-characters-in-github-repository-name and https://stackoverflow.com/questions/2514859/regular-expression-for-git-repository
• Add condition to make sure both regex are valid before creating a "hit" in the index action:
  

  hits/lib/hits_web/controllers/hit_controller.ex

  Line 7 in c629c8f

  def index(conn, %{"user" => user, "repository" => repository} = params) do

[SimonLab]

I've created the following function to check the username and repository values:

defp user_valid?(user), do: String.match?(user, ~r/^([[:alnum:]]+-)*[[:alnum:]]+$/)
defp repository_valid?(repo), do: String.match?(repo, ~r/^[[:alnum:]-_.]+$/)

[nelsonic]

Thanks for looking at this. 👍
Definitely add comments for these functions and ref this issue. 💭

[nelsonic]

@SimonLab thanks for creating the PR: #155
I think we need to have a basic 404 page in the app explaining that the URL needs to be valid for the badge to work just to improve the UX for the people who mistakenly created an invalid URL.

[SimonLab]

I've created a new error page:

When a badge is created the link will direct to "/user/repository":

On this endpoint we check if the user and repository are valid and if not redirect to the new error page

[nelsonic]

Fixed. #155