From e85f068022e6dda23ec0d1c602be653a2d56aa1c Mon Sep 17 00:00:00 2001
From: "Alex Pooley (@zuedev)" <zuedev@gmail.com>
Date: Thu, 7 May 2026 22:58:39 +0100
Subject: Handle git init to create new bare repositories

---
 usr/local/bin/git-wrapper | 23 ++++++++++++++++++++++-
 1 file changed, 22 insertions(+), 1 deletion(-)

(limited to 'usr/local')

diff --git a/usr/local/bin/git-wrapper b/usr/local/bin/git-wrapper
index 12c6d21..e46b135 100644
--- a/usr/local/bin/git-wrapper
+++ b/usr/local/bin/git-wrapper
@@ -7,6 +7,27 @@ if [ -z "$SSH_ORIGINAL_COMMAND" ]; then
     exit 1
 fi
 
+# Handle git init to create new bare repositories
+if [[ "$SSH_ORIGINAL_COMMAND" == git\ init* ]]; then
+    repo=$(echo "$SSH_ORIGINAL_COMMAND" | awk '{print $NF}')
+
+    # Block path traversal attempts and absolute paths
+    if [[ "$repo" == *..* ]] || [[ "$repo" == /* ]]; then
+        echo "Invalid path" >&2
+        exit 1
+    fi
+
+    path="/repositories/$repo"
+
+    # Check if the repository already exists
+    if [ -d "$path" ]; then
+        echo "Repository already exists: $repo" >&2
+        exit 1
+    fi
+
+    exec git init --bare "$path"
+fi
+
 # Normalize the SSH_ORIGINAL_COMMAND as modern Git clients can send either form depending on version and protocol negotiation
 SSH_ORIGINAL_COMMAND=$(echo "$SSH_ORIGINAL_COMMAND" | sed \
     's/^git upload-pack/git-upload-pack/;
@@ -42,4 +63,4 @@ case "$cmd" in
         echo "Command not allowed: $cmd" >&2
         exit 1
         ;;
-esac
\ No newline at end of file
+esac
-- 
cgit v1.2.3