fix: address second round of code review feedback

Backend improvements: - Create shared validation utility for project name validation - Add asyncio.Lock to prevent concurrent _query_claude calls - Fix _create_features_bulk: use flush() for IDs, add rollback on error - Use unique temp settings file instead of overwriting .claude_settings.json - Remove exception details from error messages (security) Frontend improvements: - Memoize onError callback in ExpandProjectChat for stable dependencies - Add timeout to start() checkAndSend loop to prevent infinite retries - Add manuallyDisconnectedRef to prevent reconnection after explicit disconnect - Clear pending reconnect timeout in disconnect() Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-30 14:22:04 +00:00 · 2026-01-09 23:57:50 -05:00
parent 75f2bf2a10
commit cdcbd11272
7 changed files with 106 additions and 53 deletions
--- a/server/utils/validation.py
+++ b/server/utils/validation.py
@@ -0,0 +1,28 @@
+"""
+Shared validation utilities for the server.
+"""
+
+import re
+
+from fastapi import HTTPException
+
+
+def validate_project_name(name: str) -> str:
+    """
+    Validate and sanitize project name to prevent path traversal.
+
+    Args:
+        name: Project name to validate
+
+    Returns:
+        The validated project name
+
+    Raises:
+        HTTPException: If name is invalid
+    """
+    if not re.match(r'^[a-zA-Z0-9_-]{1,50}$', name):
+        raise HTTPException(
+            status_code=400,
+            detail="Invalid project name. Use only letters, numbers, hyphens, and underscores (1-50 chars)."
+        )
+    return name