mirror of
https://github.com/AutoMaker-Org/automaker.git
synced 2026-03-17 22:13:08 +00:00
7df2182818
* Changes from fix/fetch-before-pull-fetch * feat: Improve pull request flow, add branch selection for worktree creation, fix for automode concurrency count * feat: Add validation for remote names and improve error handling * Address PR comments and mobile layout fixes * ``` refactor: Extract PR target resolution logic into dedicated service ``` * feat: Add app shell UI and improve service imports. Address PR comments * fix: Improve security validation and cache handling in git operations * feat: Add GET /list endpoint and improve parameter handling * chore: Improve validation, accessibility, and error handling across apps * chore: Format vite server port configuration * fix: Add error handling for gh pr list command and improve offline fallbacks * fix: Preserve existing PR creation time and improve remote handling
74 lines
2.7 KiB
TypeScript
74 lines
2.7 KiB
TypeScript
/**
|
|
* Git validation utilities
|
|
*
|
|
* Canonical validators for git-related inputs (branch names, etc.)
|
|
* used across the server codebase.
|
|
*/
|
|
|
|
/** Maximum allowed length for git branch names */
|
|
export const MAX_BRANCH_NAME_LENGTH = 250;
|
|
|
|
/**
|
|
* Validate a git branch name to prevent command injection and ensure
|
|
* it conforms to safe git ref naming rules.
|
|
*
|
|
* Enforces:
|
|
* - Allowed characters: alphanumeric, dot (.), underscore (_), slash (/), dash (-)
|
|
* - First character must NOT be a dash (prevents git argument injection via
|
|
* names like "-flag" or "--option")
|
|
* - Rejects path-traversal sequences (..)
|
|
* - Rejects NUL bytes (\0)
|
|
* - Enforces a maximum length of {@link MAX_BRANCH_NAME_LENGTH} characters
|
|
*
|
|
* @param name - The branch name to validate
|
|
* @returns `true` when the name is safe to pass to git commands
|
|
*
|
|
* @example
|
|
* ```typescript
|
|
* isValidBranchName('feature/my-branch'); // true
|
|
* isValidBranchName('-flag'); // false (starts with dash)
|
|
* isValidBranchName('a..b'); // false (contains ..)
|
|
* isValidBranchName('a\0b'); // false (contains NUL)
|
|
* ```
|
|
*/
|
|
export function isValidBranchName(name: string): boolean {
|
|
// Must not contain NUL bytes
|
|
if (name.includes('\0')) return false;
|
|
// Must not contain path-traversal sequences
|
|
if (name.includes('..')) return false;
|
|
// First char must be alphanumeric, dot, underscore, or slash (not dash).
|
|
// Remaining chars may also include dash.
|
|
// Must be within the length limit.
|
|
return /^[a-zA-Z0-9._/][a-zA-Z0-9._\-/]*$/.test(name) && name.length < MAX_BRANCH_NAME_LENGTH;
|
|
}
|
|
|
|
/**
|
|
* Validate git remote name to prevent command injection.
|
|
* Matches the strict validation used in add-remote.ts:
|
|
* - Rejects empty strings and names that are too long
|
|
* - Disallows names that start with '-' or '.'
|
|
* - Forbids the substring '..'
|
|
* - Rejects '/' characters
|
|
* - Rejects NUL bytes
|
|
* - Must consist only of alphanumerics, hyphens, underscores, and dots
|
|
*
|
|
* @param name - The remote name to validate
|
|
* @returns `true` when the name is safe to pass to git commands
|
|
*
|
|
* @example
|
|
* ```typescript
|
|
* isValidRemoteName('origin'); // true
|
|
* isValidRemoteName('upstream'); // true
|
|
* isValidRemoteName('-flag'); // false (starts with dash)
|
|
* isValidRemoteName('a/b'); // false (contains slash)
|
|
* ```
|
|
*/
|
|
export function isValidRemoteName(name: string): boolean {
|
|
if (!name || name.length >= MAX_BRANCH_NAME_LENGTH) return false;
|
|
if (name.startsWith('-') || name.startsWith('.')) return false;
|
|
if (name.includes('..')) return false;
|
|
if (name.includes('/')) return false;
|
|
if (name.includes('\0')) return false;
|
|
return /^[a-zA-Z0-9._-]+$/.test(name);
|
|
}
|