Validate External Tracker URL Format (#7089)

* Validate External Tracker URL Format

Add some validation checks for external tracker URL format.

Fixes #7068

* Don't make {index} a hard requirement

* Fix Description

* make fmt

* move regex to package level

* fix copyright date

modules/validation/helpers.go

@@ -7,6 +7,7 @@ package validation
 import (
 	"net"
 	"net/url"
+	"regexp"
 	"strings"
 
 	"code.gitea.io/gitea/modules/setting"
@@ -14,6 +15,8 @@ import (
 
 var loopbackIPBlocks []*net.IPNet
 
+var externalTrackerRegex = regexp.MustCompile(`({?)(?:user|repo|index)+?(}?)`)
+
 func init() {
 	for _, cidr := range []string{
 		"127.0.0.0/8", // IPv4 loopback
@@ -75,3 +78,19 @@ func IsValidExternalURL(uri string) bool {
 
 	return true
 }
+
+// IsValidExternalTrackerURLFormat checks if URL matches required syntax for external trackers
+func IsValidExternalTrackerURLFormat(uri string) bool {
+	if !IsValidExternalURL(uri) {
+		return false
+	}
+
+	// check for typoed variables like /{index/ or /[repo}
+	for _, match := range externalTrackerRegex.FindAllStringSubmatch(uri, -1) {
+		if (match[1] == "{" || match[2] == "}") && (match[1] != "{" || match[2] != "}") {
+			return false
+		}
+	}
+
+	return true
+}

modules/validation/helpers_test.go

@@ -88,3 +88,70 @@ func Test_IsValidExternalURL(t *testing.T) {
 		})
 	}
 }
+
+func Test_IsValidExternalTrackerURLFormat(t *testing.T) {
+	setting.AppURL = "https://try.gitea.io/"
+
+	cases := []struct {
+		description string
+		url         string
+		valid       bool
+	}{
+		{
+			description: "Correct external tracker URL with all placeholders",
+			url:         "https://github.com/{user}/{repo}/issues/{index}",
+			valid:       true,
+		},
+		{
+			description: "Local external tracker URL with all placeholders",
+			url:         "https://127.0.0.1/{user}/{repo}/issues/{index}",
+			valid:       false,
+		},
+		{
+			description: "External tracker URL with typo placeholder",
+			url:         "https://github.com/{user}/{repo/issues/{index}",
+			valid:       false,
+		},
+		{
+			description: "External tracker URL with typo placeholder",
+			url:         "https://github.com/[user}/{repo/issues/{index}",
+			valid:       false,
+		},
+		{
+			description: "External tracker URL with typo placeholder",
+			url:         "https://github.com/{user}/repo}/issues/{index}",
+			valid:       false,
+		},
+		{
+			description: "External tracker URL missing optional placeholder",
+			url:         "https://github.com/{user}/issues/{index}",
+			valid:       true,
+		},
+		{
+			description: "External tracker URL missing optional placeholder",
+			url:         "https://github.com/{repo}/issues/{index}",
+			valid:       true,
+		},
+		{
+			description: "External tracker URL missing optional placeholder",
+			url:         "https://github.com/issues/{index}",
+			valid:       true,
+		},
+		{
+			description: "External tracker URL missing optional placeholder",
+			url:         "https://github.com/issues/{user}",
+			valid:       true,
+		},
+		{
+			description: "External tracker URL with similar placeholder names test",
+			url:         "https://github.com/user/repo/issues/{index}",
+			valid:       true,
+		},
+	}
+
+	for _, testCase := range cases {
+		t.Run(testCase.description, func(t *testing.T) {
+			assert.Equal(t, testCase.valid, IsValidExternalTrackerURLFormat(testCase.url))
+		})
+	}
+}

routers/repo/setting.go

@@ -249,7 +249,7 @@ func SettingsPost(ctx *context.Context, form auth.RepoSettingForm) {
 					ctx.Redirect(repo.Link() + "/settings")
 					return
 				}
-				if len(form.TrackerURLFormat) != 0 && !validation.IsValidExternalURL(form.TrackerURLFormat) {
+				if len(form.TrackerURLFormat) != 0 && !validation.IsValidExternalTrackerURLFormat(form.TrackerURLFormat) {
 					ctx.Flash.Error(ctx.Tr("repo.settings.tracker_url_format_error"))
 					ctx.Redirect(repo.Link() + "/settings")
 					return