allow single-quotes in hook-commands (#61)

docs/source/usage/repositories.rst

@@ -73,6 +73,8 @@ If you want to run multiple ones - they need to be comma-separated.
 
 These hooks will not be processed if you override the actual create/update command.
 
+**Note**: For security reasons (XSS) these characters are not allowed: :code:`& < > "`
+
 ----
 
 Clone via SSH

src/ansibleguy-webui/aw/api_endpoints/base.py

@@ -93,6 +93,11 @@ def not_implemented(*args, **kwargs):
     return JsonResponse({'error': 'Not yet implemented'}, status=404)
 
 
-def validate_no_xss(value: str, field: str):
-    if is_set(value) and isinstance(value, str) and value != escape_html(value):
-        raise ValidationError(f"Found illegal characters in field '{field}'")
+def validate_no_xss(value: str, field: str, shell_cmd: bool = False):
+    if is_set(value) and isinstance(value, str):
+        if shell_cmd:
+            # allow single-quotes
+            value = value.replace("'", '')
+
+        if value != escape_html(value):
+            raise ValidationError(f"Found illegal characters in field '{field}'")

src/ansibleguy-webui/aw/api_endpoints/repository.py

@@ -30,7 +30,11 @@ class Meta:
     def validate(self, attrs: dict):
         for field in Repository.api_fields_write:
             if field in attrs:
-                validate_no_xss(value=attrs[field], field=field)
+                if field in Repository.fields_shell_cmds:
+                    validate_no_xss(value=attrs[field], field=field, shell_cmd=True)
+
+                else:
+                    validate_no_xss(value=attrs[field], field=field)
 
         return attrs
 

src/ansibleguy-webui/aw/model/repository.py

@@ -31,6 +31,7 @@ class Repository(BaseModel):
 
     ])
     api_fields_write = form_fields
+    fields_shell_cmds = ['git_hook_pre', 'git_hook_post', 'git_override_initialize', 'git_override_update']
 
     name = models.CharField(max_length=100, null=False, blank=False)
     rtype = models.PositiveSmallIntegerField(choices=CHOICES_REPOSITORY)