Add support for GitLab/Gitea

[tstromberg]

No description provided.

[kusari-inspector]

Kusari Analysis Results:

Caution

Flagged Issues Detected
These changes contain flagged issues that may introduce security risks.

While the dependency addition (gopkg.in/[email protected]) is safe with no vulnerabilities and poses no risk, a HIGH impact code injection vulnerability was identified in pkg/prx/auth/auth.go at line 227. The runCommand function executes commands with dynamic parameters without validation or allowlisting, creating potential for arbitrary code execution. Although the likelihood is assessed as LOW, the severity of code injection warrants blocking this PR until addressed. Action required: Implement command allowlisting as provided in the mitigation guidance to validate command names before execution and prevent potential command injection through argument manipulation.

Note

View full detailed analysis result for more information on the output and the checks that were run.

Required Code Mitigations

The runCommand function accepts arbitrary command names and arguments without validation. Implement an allowlist of permitted commands to prevent code injection. Example approach: Create a map of allowed commands and validate the 'name' parameter against it before execution. Additionally, consider using a more restrictive function signature that limits which commands can be executed, or validate/sanitize the args parameter to prevent command injection through argument manipulation.

• Location: pkg/prx/auth/auth.go:227

• Potential Code Fix:

// Add before runCommand:
var allowedCommands = map[string]bool{
    "git": true,
    "gh": true,
    // add other legitimate commands
}

func (r *Resolver) runCommand(ctx context.Context, name string, args ...string) (string, error) {
    if !allowedCommands[name] {
        return "", fmt.Errorf("command not allowed: %s", name)
    }
    ctx, cancel := context.WithTimeout(ctx, r.timeout)
    defer cancel()
    
    cmd := exec.CommandContext(ctx, name, args...)
    output, err := cmd.Output()
    if err != nil {
        return "", err
    }
    
    return strings.TrimSpace(string(output)), nil
}

---

@kusari-inspector rerun - Trigger a re-analysis of this PR
@kusari-inspector feedback [your message] - Send feedback to our AI and team
See Kusari's documentation for setup and configuration.
Commit: b9dfd36, performed at: 2026-01-15T22:07:27Z

Found this helpful? Give it a 👍 or 👎 reaction!

[kusari-inspector]

Issue: The runCommand function accepts arbitrary command names and arguments without validation. Implement an allowlist of permitted commands to prevent code injection. Example approach: Create a map of allowed commands and validate the 'name' parameter against it before execution. Additionally, consider using a more restrictive function signature that limits which commands can be executed, or validate/sanitize the args parameter to prevent command injection through argument manipulation.

Recommended Code Changes:

// Add before runCommand:
var allowedCommands = map[string]bool{
    "git": true,
    "gh": true,
    // add other legitimate commands
}

func (r *Resolver) runCommand(ctx context.Context, name string, args ...string) (string, error) {
    if !allowedCommands[name] {
        return "", fmt.Errorf("command not allowed: %s", name)
    }
    ctx, cancel := context.WithTimeout(ctx, r.timeout)
    defer cancel()
    
    cmd := exec.CommandContext(ctx, name, args...)
    output, err := cmd.Output()
    if err != nil {
        return "", err
    }
    
    return strings.TrimSpace(string(output)), nil
}

[kusari-inspector]

Kusari PR Analysis rerun based on - b9dfd36 performed at: 2026-01-15T22:07:27Z - link to updated analysis