Match filename and username exactly

To avoid issues like: jlord/patchwork#40383 Caused by this PR: jlord/patchwork#40183 And leading to exploitation of the bug via: jlord/patchwork#40478
jlord · Apr 22, 2021 · 114f188 · 114f188
1 parent 269f827
commit 114f188
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/merge.js b/merge.js
@@ -94,7 +94,7 @@ module.exports = function (pullreq, callback) {
 
   function verifyFilename (prInfo) {
     var filename = prInfo.filename.toLowerCase()
-    if (filename.match('contributors/add-' + stats.user.toLowerCase())) {
+    if (filename.match(new RegExp('^contributors/add-' + stats.user.toLowerCase() + '.txt$'))) {
       console.log(new Date(), 'PR ', stats.prNum, 'Filename: MATCH ', stats.user)
       return verifyContent(prInfo)
     } else {