From 96eab261efa9d79331bcbbdb96ad0fc8ab1d0b36 Mon Sep 17 00:00:00 2001
From: Sebastian M'Caw <mcaw@adacore.com>
Date: Mon, 19 Aug 2024 08:53:38 +0000
Subject: [PATCH] Add check that commit ID is valid hexadecimal

---
 src/alire/alire-origins.adb                   |  4 ++--
 src/alire/alire-origins.ads                   |  4 ++++
 testsuite/tests/publish/bad-arguments/test.py | 10 ++++++++++
 3 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/src/alire/alire-origins.adb b/src/alire/alire-origins.adb
index d838ffd8f..658791d6e 100644
--- a/src/alire/alire-origins.adb
+++ b/src/alire/alire-origins.adb
@@ -427,14 +427,14 @@ package body Alire.Origins is
    begin
       case Scheme is
          when Pure_Git | Git | HTTP =>
-            if Commit'Length /= Git_Commit'Length then
+            if not Is_Valid_Commit (Commit) then
                Raise_Checked_Error
                  ("invalid git commit id, " &
                     "40 digits hexadecimal expected");
             end if;
             return New_Git (VCS_URL, Commit, Subdir);
          when Hg =>
-            if Commit'Length /= Hg_Commit'Length then
+            if not Is_Valid_Mercurial_Commit (Commit) then
                Raise_Checked_Error
                  ("invalid mercurial commit id, " &
                     "40 digits hexadecimal expected");
diff --git a/src/alire/alire-origins.ads b/src/alire/alire-origins.ads
index b24327cb8..cf67cd64d 100644
--- a/src/alire/alire-origins.ads
+++ b/src/alire/alire-origins.ads
@@ -130,6 +130,10 @@ package Alire.Origins is
    is (S'Length = Git_Commit'Length and then
        (for all Char of S => Char in Alire.Utils.Hexadecimal_Character));
 
+   function Is_Valid_Mercurial_Commit (S : String) return Boolean
+   is (S'Length = Hg_Commit'Length and then
+       (for all Char of S => Char in Alire.Utils.Hexadecimal_Character));
+
    function Short_Commit (Commit : String) return String;
    --  First characters in the commit
 
diff --git a/testsuite/tests/publish/bad-arguments/test.py b/testsuite/tests/publish/bad-arguments/test.py
index 4c6f13b7b..723013038 100644
--- a/testsuite/tests/publish/bad-arguments/test.py
+++ b/testsuite/tests/publish/bad-arguments/test.py
@@ -34,6 +34,16 @@
 assert_match(".*invalid git commit id, 40 digits hexadecimal expected.*",
              p.out)
 
+# Bad commit characters
+p = run_alr("publish", "git+http://github.com/repo", "_"*40,
+            complain_on_error=False)
+assert_match(".*invalid git commit id, 40 digits hexadecimal expected.*",
+             p.out)
+p = run_alr("publish", "hg+http://host.name/repo", "_"*40,
+            complain_on_error=False)
+assert_match(".*invalid mercurial commit id, 40 digits hexadecimal expected.*",
+             p.out)
+
 # VCS without transport or extension
 p = run_alr("publish", "http://somehost.com/badrepo", "deadbeef",
             complain_on_error=False)