Allow marking a domain as unconditionally forbidden to update.

src/auth.go

@@ -252,6 +252,10 @@ func AuthorizeMetadataRetrieval(r *http.Request) (*Authorization, error) {
 func AuthorizeUpdateFromRepository(r *http.Request) (*Authorization, error) {
 	causes := []error{AuthError{http.StatusUnauthorized, "unauthorized"}}
 
+	if err := CheckForbiddenDomain(r); err != nil {
+		return nil, err
+	}
+
 	if config.Insecure {
 		log.Println("auth: INSECURE mode: allow *")
 		return &Authorization{}, nil // for testing only
@@ -344,6 +348,10 @@ func AuthorizeBranch(branch string, auth *Authorization) error {
 func AuthorizeUpdateFromArchive(r *http.Request) (*Authorization, error) {
 	causes := []error{AuthError{http.StatusUnauthorized, "unauthorized"}}
 
+	if err := CheckForbiddenDomain(r); err != nil {
+		return nil, err
+	}
+
 	if config.Insecure {
 		log.Println("auth: INSECURE mode")
 		return &Authorization{}, nil // for testing only
@@ -362,3 +370,19 @@ func AuthorizeUpdateFromArchive(r *http.Request) (*Authorization, error) {
 
 	return nil, errors.Join(causes...)
 }
+
+func CheckForbiddenDomain(r *http.Request) error {
+	host, err := GetHost(r)
+	if err != nil {
+		return err
+	}
+
+	host = strings.ToLower(host)
+	for _, reservedDomain := range config.Limits.ForbiddenDomains {
+		if host == strings.ToLower(reservedDomain) {
+			return AuthError{http.StatusForbidden, "forbidden domain"}
+		}
+	}
+
+	return nil
+}

src/config.go

@@ -102,6 +102,8 @@ type LimitsConfig struct {
 	UpdateTimeout Duration `toml:"update-timeout" default:"60s"`
 	// Soft limit on Go heap size, expressed as a fraction of total available RAM.
 	MaxHeapSizeRatio float64 `toml:"max-heap-size-ratio" default:"0.5"`
+	// List of domains unconditionally forbidden for uploads.
+	ForbiddenDomains []string `toml:"forbidden-domains"`
 }
 
 func (config *Config) DebugJSON() string {