From 8ea1d59a00049a586384bf09ed2e03cdfc9b6676 Mon Sep 17 00:00:00 2001
From: AnsibleGuy <guy@ansibleguy.net>
Date: Sat, 14 Sep 2024 14:05:43 +0200
Subject: [PATCH] workaround to allow double-quotes in hook-commands (#61)

---
 docs/source/usage/repositories.rst                  | 2 +-
 src/ansibleguy-webui/aw/api_endpoints/base.py       | 3 ++-
 src/ansibleguy-webui/aw/api_endpoints/repository.py | 1 +
 src/ansibleguy-webui/aw/execute/repository.py       | 1 +
 4 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/docs/source/usage/repositories.rst b/docs/source/usage/repositories.rst
index 19a13ea..3ef7d3e 100644
--- a/docs/source/usage/repositories.rst
+++ b/docs/source/usage/repositories.rst
@@ -73,7 +73,7 @@ If you want to run multiple ones - they need to be comma-separated.
 
 These hooks will not be processed if you override the actual create/update command.
 
-**Note**: For security reasons (XSS) these characters are not allowed: :code:`& < > "`
+**Note**: For security reasons (XSS) these characters are currently not allowed: :code:`< >`
 
 ----
 
diff --git a/src/ansibleguy-webui/aw/api_endpoints/base.py b/src/ansibleguy-webui/aw/api_endpoints/base.py
index 807bb77..c9a0518 100644
--- a/src/ansibleguy-webui/aw/api_endpoints/base.py
+++ b/src/ansibleguy-webui/aw/api_endpoints/base.py
@@ -96,8 +96,9 @@ def not_implemented(*args, **kwargs):
 def validate_no_xss(value: str, field: str, shell_cmd: bool = False):
     if is_set(value) and isinstance(value, str):
         if shell_cmd:
-            # allow single-quotes
+            # ignore characters shell-commands may need
             value = value.replace("'", '')
+            value = value.replace('&', '')
 
         if value != escape_html(value):
             raise ValidationError(f"Found illegal characters in field '{field}'")
diff --git a/src/ansibleguy-webui/aw/api_endpoints/repository.py b/src/ansibleguy-webui/aw/api_endpoints/repository.py
index c2fea4b..e5055b7 100644
--- a/src/ansibleguy-webui/aw/api_endpoints/repository.py
+++ b/src/ansibleguy-webui/aw/api_endpoints/repository.py
@@ -31,6 +31,7 @@ def validate(self, attrs: dict):
         for field in Repository.api_fields_write:
             if field in attrs:
                 if field in Repository.fields_shell_cmds:
+                    attrs[field] = attrs[field].replace('"', "''")
                     validate_no_xss(value=attrs[field], field=field, shell_cmd=True)
 
                 else:
diff --git a/src/ansibleguy-webui/aw/execute/repository.py b/src/ansibleguy-webui/aw/execute/repository.py
index 95c9ee3..e822f0d 100644
--- a/src/ansibleguy-webui/aw/execute/repository.py
+++ b/src/ansibleguy-webui/aw/execute/repository.py
@@ -197,6 +197,7 @@ def _repo_process(self, cmd: str, env: dict):
     def _run_repo_config_cmds(self, cmds: str, env: dict):
         if is_set(cmds):
             for cmd in cmds.split(','):
+                cmd = cmd.replace("''", '"')
                 self._repo_process(cmd=cmd, env=env)
 
     def _git_origin_with_credentials(self) -> str: