From c11114149cc093c0d9fcffde4a7d061e2c41a7cf Mon Sep 17 00:00:00 2001
From: Catherine <whitequark@whitequark.org>
Date: Mon, 22 Sep 2025 19:37:48 +0000
Subject: [PATCH] Allow marking a domain as unconditionally forbidden to
 update.

---
 src/auth.go   | 24 ++++++++++++++++++++++++
 src/config.go |  2 ++
 2 files changed, 26 insertions(+)

diff --git a/src/auth.go b/src/auth.go
index 7967177..0fc5d8f 100644
--- a/src/auth.go
+++ b/src/auth.go
@@ -252,6 +252,10 @@ func AuthorizeMetadataRetrieval(r *http.Request) (*Authorization, error) {
 func AuthorizeUpdateFromRepository(r *http.Request) (*Authorization, error) {
 	causes := []error{AuthError{http.StatusUnauthorized, "unauthorized"}}
 
+	if err := CheckForbiddenDomain(r); err != nil {
+		return nil, err
+	}
+
 	if config.Insecure {
 		log.Println("auth: INSECURE mode: allow *")
 		return &Authorization{}, nil // for testing only
@@ -344,6 +348,10 @@ func AuthorizeBranch(branch string, auth *Authorization) error {
 func AuthorizeUpdateFromArchive(r *http.Request) (*Authorization, error) {
 	causes := []error{AuthError{http.StatusUnauthorized, "unauthorized"}}
 
+	if err := CheckForbiddenDomain(r); err != nil {
+		return nil, err
+	}
+
 	if config.Insecure {
 		log.Println("auth: INSECURE mode")
 		return &Authorization{}, nil // for testing only
@@ -362,3 +370,19 @@ func AuthorizeUpdateFromArchive(r *http.Request) (*Authorization, error) {
 
 	return nil, errors.Join(causes...)
 }
+
+func CheckForbiddenDomain(r *http.Request) error {
+	host, err := GetHost(r)
+	if err != nil {
+		return err
+	}
+
+	host = strings.ToLower(host)
+	for _, reservedDomain := range config.Limits.ForbiddenDomains {
+		if host == strings.ToLower(reservedDomain) {
+			return AuthError{http.StatusForbidden, "forbidden domain"}
+		}
+	}
+
+	return nil
+}
diff --git a/src/config.go b/src/config.go
index 10a50a7..f1999ec 100644
--- a/src/config.go
+++ b/src/config.go
@@ -102,6 +102,8 @@ type LimitsConfig struct {
 	UpdateTimeout Duration `toml:"update-timeout" default:"60s"`
 	// Soft limit on Go heap size, expressed as a fraction of total available RAM.
 	MaxHeapSizeRatio float64 `toml:"max-heap-size-ratio" default:"0.5"`
+	// List of domains unconditionally forbidden for uploads.
+	ForbiddenDomains []string `toml:"forbidden-domains"`
 }
 
 func (config *Config) DebugJSON() string {