@@ -83,6 +83,8 @@ type link struct {
8383 ExpiresAt time.Time `json:"expires_at,omitempty"`
8484}
8585
86+ var oidRegExp = regexp .MustCompile (`^[A-Fa-f0-9]+$` )
87+
8688// ObjectOidHandler is the main request routing entry point into LFS server functions
8789func ObjectOidHandler (ctx * context.Context ) {
8890
@@ -217,6 +219,12 @@ func PostHandler(ctx *context.Context) {
217219
218220 if ! authenticate (ctx , repository , rv .Authorization , true ) {
219221 requireAuth (ctx )
222+ return
223+ }
224+
225+ if ! oidRegExp .MatchString (rv .Oid ) {
226+ writeStatus (ctx , 404 )
227+ return
220228 }
221229
222230 meta , err := models .NewLFSMetaObject (& models.LFSMetaObject {Oid : rv .Oid , Size : rv .Size , RepositoryID : repository .ID })
@@ -284,10 +292,12 @@ func BatchHandler(ctx *context.Context) {
284292 continue
285293 }
286294
287- // Object is not found
288- meta , err = models .NewLFSMetaObject (& models.LFSMetaObject {Oid : object .Oid , Size : object .Size , RepositoryID : repository .ID })
289- if err == nil {
290- responseObjects = append (responseObjects , Represent (object , meta , meta .Existing , ! contentStore .Exists (meta )))
295+ if oidRegExp .MatchString (object .Oid ) {
296+ // Object is not found
297+ meta , err = models .NewLFSMetaObject (& models.LFSMetaObject {Oid : object .Oid , Size : object .Size , RepositoryID : repository .ID })
298+ if err == nil {
299+ responseObjects = append (responseObjects , Represent (object , meta , meta .Existing , ! contentStore .Exists (meta )))
300+ }
291301 }
292302 }
293303
0 commit comments