Make tracker names match [A-Za-z0-9._-]+

Fixes an issue where "_" could be used as a wildcard in tracker names.
Also prohibits use of '.git' and '.hg' as tracker names.

todosrht/access.py

@@ -51,7 +51,7 @@ def get_tracker(owner, name, with_for_update=False, user=None):
             return None, None
     tracker = (Tracker.query
         .filter(Tracker.owner_id == owner.id)
-        .filter(Tracker.name.ilike(name)))
+        .filter(Tracker.name.ilike(name.replace('_', '\\_'))))
     if with_for_update:
         tracker = tracker.with_for_update()
     tracker = tracker.one_or_none()

todosrht/tickets.py

@@ -36,21 +36,21 @@ USER_MENTION_PATTERN = re.compile(r"""
 
 # Matches ticket mentions, e.g. #17, tracker#17 and ~user/tracker#17
 TICKET_MENTION_PATTERN = re.compile(r"""
-    (?<![^\s(])                      # No leading non-whitespace characters
-    (~(?P<username>\w+)/)?           # Optional username
-    (?P<tracker_name>[a-z0-9_.-]+)?  # Optional tracker name
-    \#(?P<ticket_id>\d+)             # Ticket ID
-    \b                               # Word boundary
+    (?<![^\s(])                         # No leading non-whitespace characters
+    (~(?P<username>\w+)/)?              # Optional username
+    (?P<tracker_name>[A-Za-z0-9_.-]+)?  # Optional tracker name
+    \#(?P<ticket_id>\d+)                # Ticket ID
+    \b                                  # Word boundary
 """, re.VERBOSE)
 
 # Matches ticket URL
 TICKET_URL_PATTERN = re.compile(f"""
-    (?<![^\\s(])                      # No leading non-whitespace characters
-    {origin}/                         # Base URL
-    ~(?P<username>\\w+)/              # Username
-    (?P<tracker_name>[a-z0-9_.-]+)/   # Tracker name
-    (?P<ticket_id>\\d+)               # Ticket ID
-    \\b                               # Word boundary
+    (?<![^\\s(])                        # No leading non-whitespace characters
+    {origin}/                           # Base URL
+    ~(?P<username>\\w+)/                # Username
+    (?P<tracker_name>[A-Za-z0-9_.-]+)/  # Tracker name
+    (?P<ticket_id>\\d+)                 # Ticket ID
+    \\b                                 # Word boundary
 """, re.VERBOSE)
 
 def get_participant_for_user(user):

todosrht/types/tracker.py

@@ -6,7 +6,7 @@ from srht.flagtype import FlagType
 from srht.validation import Validation
 from todosrht.types import TicketAccess, TicketStatus, TicketResolution
 
-name_re = re.compile(r"^([a-zA-Z][a-zA-Z0-9._-]*?)+$")
+name_re = re.compile(r"^[A-Za-z0-9._-]+$")
 
 class Tracker(Base):
     __tablename__ = 'tracker'
@@ -70,11 +70,14 @@ class Tracker(Base):
                 "Must be between 1 and 255 characters",
                 field="name")
         valid.expect(not valid.ok or name_re.match(name),
-                "Only alphanumeric characters or <samp>._-</samp>",
+                "Name must match [A-Za-z0-9._-]+",
                 field="name")
         valid.expect(not valid.ok or name not in [".", ".."],
                 "Name cannot be '.' or '..'",
                 field="name")
+        valid.expect(not valid.ok or name not in [".git", ".hg"],
+                "Name must not be '.git' or '.hg'",
+                field="name")
         valid.expect(not desc or len(desc) < 4096,
                 "Must be less than 4096 characters",
                 field="description")
@@ -83,7 +86,7 @@ class Tracker(Base):
 
         tracker = (Tracker.query
                 .filter(Tracker.owner_id == user.id)
-                .filter(Tracker.name.ilike(name))
+                .filter(Tracker.name.ilike(name.replace('_', '\\_')))
             ).first()
         valid.expect(not tracker,
                 "A tracker by this name already exists", field="name")