private function validateGitLFSRequest(PhabricatorRepository $repository, PhabricatorUser $viewer)
{
if (!$this->getIsGitLFSRequest()) {
return null;
}
if (!$repository->canUseGitLFS()) {
return new PhabricatorVCSResponse(403, pht('The requested repository ("%s") does not support Git LFS.', $repository->getDisplayName()));
}
// If this is using an LFS token, sanity check that we're using it on the
// correct repository. This shouldn't really matter since the user could
// just request a proper token anyway, but it suspicious and should not
// be permitted.
$token = $this->getGitLFSToken();
if ($token) {
$resource = $token->getTokenResource();
if ($resource !== $repository->getPHID()) {
return new PhabricatorVCSResponse(403, pht('The authentication token provided in the request is bound to ' . 'a different repository than the requested repository ("%s").', $repository->getDisplayName()));
}
}
return null;
}
private function getGitLFSRef(PhabricatorRepository $repository, $data)
{
if (!$repository->canUseGitLFS()) {
return null;
}
$lfs_pattern = '(^version https://git-lfs\\.github\\.com/spec/v1[\\r\\n])';
if (!preg_match($lfs_pattern, $data)) {
return null;
}
$matches = null;
if (!preg_match('(^oid sha256:(.*)$)m', $data, $matches)) {
return null;
}
$hash = $matches[1];
$hash = trim($hash);
return id(new PhabricatorRepositoryGitLFSRefQuery())->setViewer($this->getViewer())->withRepositoryPHIDs(array($repository->getPHID()))->withObjectHashes(array($hash))->executeOne();
}
