fix(checkver): Harden github checkver (#6641)

Signed-off-by: Chawye Hsu <su+git@chawyehsu.com>

Author: chawyehsu

CHANGELOG.md

@@ -34,6 +34,7 @@
 - **core:** Check `$deprecated_dir` exists before accessing it ([#6574](https://github.com/ScoopInstaller/Scoop/issues/6574))
 - **checkver:** Remove redundant always-true condition in GitHub checkver logic ([#6571](https://github.com/ScoopInstaller/Scoop/issues/6571))
 - **core:** Give `dark` higher priority when use `Extract-DarkArchive` ([#6637](https://github.com/ScoopInstaller/Scoop/issues/6637))
+- **checkver:** Harden github checkver ([#6641](https://github.com/ScoopInstaller/Scoop/issues/6641))
 
 ### Code Refactoring
 

bin/checkver.ps1

@@ -108,6 +108,7 @@ Get-Event | Remove-Event
 Get-EventSubscriber | Unregister-Event
 
 # start all downloads
+$in_progress = 0
 $Queue | ForEach-Object {
     $name, $json, $file = $_
 
@@ -119,7 +120,6 @@ $Queue | ForEach-Object {
     } else {
         $wc.Headers.Add('User-Agent', (Get-UserAgent))
     }
-    Register-ObjectEvent $wc downloadDataCompleted -ErrorAction Stop | Out-Null
 
     # Not Specified
     if ($json.checkver.url) {
@@ -139,27 +139,46 @@ $Queue | ForEach-Object {
     $jsonpath = ''
     $xpath = ''
     $replace = ''
-    $useGithubAPI = $false
 
-    # GitHub
-    if ($regex) {
-        $githubRegex = $regex
-    } else {
-        $githubRegex = '/releases/tag/(?:v|V)?([\d.]+)'
-    }
-    if ($json.checkver -eq 'github') {
-        if (!$json.homepage.StartsWith('https://github.com/')) {
-            error "$name checkver expects the homepage to be a github repository"
+    ## GitHub
+    #
+    # ```json
+    # "homepage": "<valid-repository-url>",
+    # "checkver": "github"
+    # ```
+    #
+    # or
+    #
+    # ```json
+    # "checkver": {
+    #     "github": "<valid-repository-url-or-repository-api-url>"
+    # }
+    # ```
+    if (($json.checkver -eq 'github') -or $json.checkver.github) {
+        $githubUrlPattern = '^https://((www\.)?github\.com/[\w.-]+/[\w.-]+/?|api\.github\.com/repos/[\w.-]+/[\w.-]+/.+)$'
+        $regex = if ($regex) { $regex } else { '/releases/tag/(?:v|V)?([\d.]+)' }
+
+        $inputGithubUrl = $json.homepage
+        $fieldUsed = 'homepage'
+        if ($json.checkver.github) {
+            $inputGithubUrl = $json.checkver.github
+            $fieldUsed = 'checkver.github'
+        }
+
+        if ($inputGithubUrl -notmatch $githubUrlPattern) {
+            error "$name checkver expects $fieldUsed to be a valid GitHub repository URL"
+            return
         }
-        $url = $json.homepage.TrimEnd('/') + '/releases/latest'
-        $regex = $githubRegex
-        $useGithubAPI = $true
-    }
 
-    if ($json.checkver.github) {
-        $url = $json.checkver.github.TrimEnd('/') + '/releases/latest'
-        $regex = $githubRegex
-        $useGithubAPI = $true
+        $url = $inputGithubUrl.TrimEnd('/')
+        if ($url -notlike 'https://api.github.com*') {
+            $url = $url + '/releases/latest'
+        }
+
+        if ($GitHubToken) {
+            $url = $url -replace '//(www\.)?github\.com/', '//api.github.com/repos/'
+            $wc.Headers.Add('Authorization', "token $GitHubToken")
+        }
     }
 
     # SourceForge
@@ -216,13 +235,6 @@ $Queue | ForEach-Object {
 
     $reverse = $json.checkver.reverse -and $json.checkver.reverse -eq 'true'
 
-    if ($url -like '*api.github.com/*') { $useGithubAPI = $true }
-
-    if ($useGithubAPI -and ($null -ne $GitHubToken)) {
-        $url = $url -replace '//(www\.)?github.com/', '//api.github.com/repos/'
-        $wc.Headers.Add('Authorization', "token $GitHubToken")
-    }
-
     $url = substitute $url $substitutions
 
     $state = New-Object psobject @{
@@ -244,7 +256,9 @@ $Queue | ForEach-Object {
     }
 
     $wc.Headers.Add('Referer', (strip_filename $url))
+    Register-ObjectEvent $wc downloadDataCompleted -ErrorAction Stop | Out-Null
     $wc.DownloadDataAsync($url, $state)
+    $in_progress++
 }
 
 function next($er) {
@@ -253,7 +267,6 @@ function next($er) {
 }
 
 # wait for all to complete
-$in_progress = $Queue.length
 while ($in_progress -gt 0) {
     $ev = Wait-Event
     Remove-Event $ev.SourceIdentifier