security(web): path traversal vulnerability and missing input validation

[dvrd]

Why

Code review round 58 identified a path traversal vulnerability in web/blob.go and web/git.go where repository names from user input are used without sanitization, allowing directory traversal attacks. Additionally, multiple endpoints lack input validation for user-supplied parameters.

What

Add input sanitization for repository names to prevent path traversal attacks:

1. Sanitize repo parameter in pkg/web/blob.go:getRawBlob() (line 37)
2. Sanitize repo parameter in pkg/web/git.go (multiple locations)
3. Add explicit path traversal prevention beyond character validation

Add input validation for user-supplied parameters across:
4. LFS API endpoints - validate object IDs, lock paths
5. Repository management endpoints - validate repo names
6. Webhook endpoints - validate URLs

Where

• pkg/web/blob.go - getRawBlob() handler uses mux.Vars(r)["repo"] without sanitization
• pkg/web/git.go - Multiple uses of repo parameter from URL vars without sanitization
• pkg/utils/utils.go - ValidateRepo() only checks characters, doesn't prevent path traversal

Plan

1. Update ValidateRepo() in pkg/utils/utils.go to reject path traversal attempts (../, ..\\, ..)
2. Add sanitization in blob.go and git.go before using repo parameter
3. Add input validation to LFS and webhook endpoints
4. Create comprehensive input sanitization strategy document

Security Impact

Path Traversal: High - Attackers could read arbitrary files from repositories by crafting malicious repo names
Input Validation: Medium - Various injection and validation bypass attacks possible
Recommendation: Treat as HIGH priority security issue