fix(project-backup): validate repository before restore

Author: nijel

docs/changes.rst

@@ -25,6 +25,7 @@ Weblate 5.17.1
 * Client-side popup notifications triggered by JavaScript now use Bootstrap toasts.
 * Borg backups that finish with warnings are no longer shown as failed in the management UI, and backup logs now show ``C`` entries for files that changed during the backup.
 * Git exporter no longer rejects shared-history fetches just because the first negotiated ``have`` revisions are newer than Weblate's local history.
+* Project backup import now revalidates component repository URLs before restore.
 
 .. rubric:: Compatibility
 

weblate/trans/backups.py

@@ -52,7 +52,11 @@
 )
 from weblate.utils.data import data_path
 from weblate.utils.hash import checksum_to_hash, hash_to_checksum
-from weblate.utils.validators import validate_bitmap, validate_filename
+from weblate.utils.validators import (
+    validate_bitmap,
+    validate_filename,
+    validate_repo_url,
+)
 from weblate.utils.version import VERSION
 from weblate.vcs.models import VCS_REGISTRY
 
@@ -622,6 +626,7 @@ def load_component(
         with zipfile.open(filename) as handle:
             data = json.load(handle)
             validate_schema(data, "weblate-component.schema.json")
+            self.validate_component_urls(data["component"])
             if skip_linked and data["component"]["repo"].startswith("weblate:"):
                 return False
             if data["component"]["vcs"] not in VCS_REGISTRY:
@@ -648,6 +653,17 @@ def load_component(
                 self.restore_component(zipfile, data, actor, changes)
             return True
 
+    @staticmethod
+    def validate_component_urls(component: dict[str, Any]) -> None:
+        for field in ("repo", "push"):
+            value = component.get(field)
+            if not value:
+                continue
+            try:
+                validate_repo_url(value)
+            except ValidationError as error:
+                raise ValidationError({field: error.messages}) from error
+
     @overload
     def load_components(
         self,

weblate/trans/tests/test_backups.py

@@ -52,6 +52,34 @@
 class BackupsTest(ViewTestCase):
     CREATE_GLOSSARIES: bool = True
 
+    def write_tampered_component_backup(
+        self, *, repo: str | None = None, push: str | None = None
+    ) -> str:
+        backup = ProjectBackup()
+        backup.backup_project(self.project)
+
+        with tempfile.NamedTemporaryFile(suffix=".zip", delete=False) as temp_handle:
+            temp_name = temp_handle.name
+
+        with (
+            ZipFile(backup.filename, "r") as source_zip,
+            ZipFile(temp_name, "w") as target_zip,
+        ):
+            for item in source_zip.infolist():
+                data = source_zip.read(item.filename)
+                if item.filename.endswith(
+                    f"{self.component.slug}.json"
+                ) and item.filename.startswith("components/"):
+                    component_data = json.loads(data.decode("utf-8"))
+                    if repo is not None:
+                        component_data["component"]["repo"] = repo
+                    if push is not None:
+                        component_data["component"]["push"] = push
+                    data = json.dumps(component_data).encode("utf-8")
+                target_zip.writestr(item, data)
+
+        return temp_name
+
     def test_backup_creates_history_entry(self) -> None:
         backup = ProjectBackup()
 
@@ -355,6 +383,60 @@ def test_restore_synthesizes_source_translation_check_flags(self) -> None:
 
         self.assertEqual(restored_source.check_flags, "read-only")
 
+    def test_restore_rejects_invalid_repo_url(self) -> None:
+        temp_name = self.write_tampered_component_backup(
+            repo="https://private.example/repo.git"
+        )
+
+        try:
+            restore = ProjectBackup(temp_name)
+            with (
+                patch(
+                    "weblate.utils.outbound.socket.getaddrinfo",
+                    return_value=[(0, 0, 0, "", ("127.0.0.1", 443))],
+                ),
+                self.assertRaises(ValidationError) as error,
+            ):
+                restore.validate()
+
+            self.assertEqual(
+                error.exception.message_dict,
+                {
+                    "repo": [
+                        "This URL is prohibited because it points to an internal or non-public address."
+                    ]
+                },
+            )
+        finally:
+            os.unlink(temp_name)
+
+    def test_restore_rejects_invalid_push_url(self) -> None:
+        temp_name = self.write_tampered_component_backup(
+            push="https://private.example/push.git"
+        )
+
+        try:
+            restore = ProjectBackup(temp_name)
+            with (
+                patch(
+                    "weblate.utils.outbound.socket.getaddrinfo",
+                    return_value=[(0, 0, 0, "", ("127.0.0.1", 443))],
+                ),
+                self.assertRaises(ValidationError) as error,
+            ):
+                restore.validate()
+
+            self.assertEqual(
+                error.exception.message_dict,
+                {
+                    "push": [
+                        "This URL is prohibited because it points to an internal or non-public address."
+                    ]
+                },
+            )
+        finally:
+            os.unlink(temp_name)
+
     def test_create_duplicate(self) -> None:
         def extract_names(qs) -> list[str]:
             return list(qs.order_by("name").values_list("name", flat=True))