fix: Improve error handling and validation across multiple services

2026-03-20 11:03:08 +00:00 · 2026-02-18 22:11:31 -08:00
parent 53d07fefb8
commit 205f662022
17 changed files with 395 additions and 339 deletions
--- a/apps/server/src/routes/worktree/common.ts
+++ b/apps/server/src/routes/worktree/common.ts
@@ -62,13 +62,21 @@ export const execEnv = {

 /**
 * Validate git remote name to prevent command injection.
- * Allowed characters: alphanumerics, hyphen, underscore, dot, and slash.
- * Rejects empty strings and names that are too long.
+ * Matches the strict validation used in add-remote.ts:
+ * - Rejects empty strings and names that are too long
+ * - Disallows names that start with '-' or '.'
+ * - Forbids the substring '..'
+ * - Rejects '/' characters
+ * - Rejects NUL bytes
+ * - Must consist only of alphanumerics, hyphens, underscores, and dots
 */
 export function isValidRemoteName(name: string): boolean {
-  return (
-    name.length > 0 && name.length < MAX_BRANCH_NAME_LENGTH && /^[a-zA-Z0-9._\-/]+$/.test(name)
-  );
+  if (!name || name.length === 0 || name.length >= MAX_BRANCH_NAME_LENGTH) return false;
+  if (name.startsWith('-') || name.startsWith('.')) return false;
+  if (name.includes('..')) return false;
+  if (name.includes('/')) return false;
+  if (name.includes('\0')) return false;
+  return /^[a-zA-Z0-9._-]+$/.test(name);
 }

 /**
--- a/apps/server/src/routes/worktree/routes/check-changes.ts
+++ b/apps/server/src/routes/worktree/routes/check-changes.ts
@@ -82,6 +82,10 @@ export function createCheckChangesHandler() {

      const hasChanges = staged.length > 0 || unstaged.length > 0 || untracked.length > 0;

+      // Deduplicate file paths across staged, unstaged, and untracked arrays
+      // to avoid double-counting partially staged files
+      const uniqueFilePaths = new Set([...staged, ...unstaged, ...untracked]);
+
      res.json({
        success: true,
        result: {
@@ -89,7 +93,7 @@ export function createCheckChangesHandler() {
          staged,
          unstaged,
          untracked,
-          totalFiles: staged.length + unstaged.length + untracked.length,
+          totalFiles: uniqueFilePaths.size,
        },
      });
    } catch (error) {
--- a/apps/server/src/routes/worktree/routes/checkout-branch.ts
+++ b/apps/server/src/routes/worktree/routes/checkout-branch.ts
@@ -185,13 +185,11 @@ export function createCheckoutBranchHandler(events?: EventEmitter) {
 }

 /**
- * Determine whether an error message represents a client error (400)
+ * Determine whether an error message represents a client error (400).
+ * Stash failures are server-side errors and are intentionally excluded here
+ * so they are returned as HTTP 500 rather than HTTP 400.
 */
 function isBranchError(error?: string): boolean {
  if (!error) return false;
-  return (
-    error.includes('already exists') ||
-    error.includes('does not exist') ||
-    error.includes('Failed to stash')
-  );
+  return error.includes('already exists') || error.includes('does not exist');
 }