ros/automaker
1
0
Fork 0
mirror of https://github.com/AutoMaker-Org/automaker.git synced 2026-03-21 23:33:07 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: Fix new branch issues and address code review comments

Browse Source
This commit is contained in:
gsxdsm
2026-02-18 21:36:00 -08:00
parent 2d907938cc
commit 53d07fefb8
30 changed files with 1604 additions and 367 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
apps/server/src/routes/worktree/common.ts
View File

@@ -2,7 +2,7 @@
* Common utilities for worktree routes
*/
import { createLogger } from '@automaker/utils';
import { createLogger, isValidBranchName, MAX_BRANCH_NAME_LENGTH } from '@automaker/utils';
import { exec } from 'child_process';
import { promisify } from 'util';
import { getErrorMessage as getErrorMessageShared, createLogError } from '../common.js';
@@ -14,12 +14,9 @@ export { execGitCommand } from '../../lib/git.js';
const logger = createLogger('Worktree');
export const execAsync = promisify(exec);
// ============================================================================
// Constants
// ============================================================================
/** Maximum allowed length for git branch names */
export const MAX_BRANCH_NAME_LENGTH = 250;
// Re-export git validation utilities from the canonical shared module so
// existing consumers that import from this file continue to work.
export { isValidBranchName, MAX_BRANCH_NAME_LENGTH };
// ============================================================================
// Extended PATH configuration for Electron apps
@@ -63,22 +60,6 @@ export const execEnv = {
PATH: extendedPath,
};
// ============================================================================
// Validation utilities
// ============================================================================
/**
* Validate branch name to prevent command injection.
* Git branch names cannot contain: space, ~, ^, :, ?, *, [, \, or control chars.
* We also reject shell metacharacters for safety.
* The first character must not be '-' to prevent git argument injection.
*/
export function isValidBranchName(name: string): boolean {
// First char must be alphanumeric, dot, underscore, or slash (not dash)
// to prevent git option injection via names like "-flag" or "--option".
return /^[a-zA-Z0-9._/][a-zA-Z0-9._\-/]*$/.test(name) && name.length < MAX_BRANCH_NAME_LENGTH;
}
/**
* Validate git remote name to prevent command injection.
* Allowed characters: alphanumerics, hyphen, underscore, dot, and slash.