Harden validateUrl/validateEmail in shared validation utils and add edge-case tests

[Jagadeeshftw]

📌 Description

src/shared/utils/validation.ts exposes validateUrl, validateEmail, validateRepoName, and validateRequired. validateUrl requires a dot in the hostname (rejecting localhost/IP), and validateEmail uses a simplistic regex that rejects many valid addresses. Edge cases are not all tested.

💡 Why it matters: Over-strict validators block legitimate input; under-strict ones admit bad input.

🧩 Requirements and context

• Make validateUrl accept valid hosts (localhost/IP) where appropriate while still rejecting non-http(s) schemes (e.g. javascript:).
• Improve validateEmail to a sounder pattern without becoming catastrophically backtracking.
• Add tests covering the corrected and rejected cases for all four validators.
• Document each regex with a comment.

Non-functional requirements

• Must be secure, tested, and documented.
• Should be efficient and easy to review.

🛠️ Suggested execution

1. Fork the repo and create a branch

git checkout -b fix/validation-edge-cases

2. Implement changes

• Write/modify the relevant source: src/shared/utils/validation.ts
• Write comprehensive tests: src/shared/utils/validation.test.ts
• Add documentation: inline regex comments + TSDoc
• Include TSDoc doc comments
• Validate security assumptions: reject javascript:/data: URLs; avoid ReDoS

3. Test and commit

• Run tests:

npm run test

• Cover edge cases: localhost URL, IP URL, dangerous scheme, plus-tagged email
• Include test output and security notes in the PR description.

Example commit message

fix(validation): correct URL/email rules + edge-case tests

✅ Acceptance criteria

• validateUrl accepts localhost/IP, rejects dangerous schemes
• validateEmail accepts common valid forms
• No ReDoS-prone patterns
• Tests cover added cases

🔒 Security notes

Reject javascript:/data: schemes; ensure regexes are not exponential-time.

📋 Guidelines

• Minimum 95% test coverage
• Clear documentation
• Timeframe: 96 hours

[YfengJ]

Hi maintainers, I would like to apply for this issue if it is available.

If assigned, I will keep the change focused on the shared validation helpers: harden validateUrl for http(s) URLs including localhost/IP cases where appropriate, reject unsafe schemes such as javascript:, improve validateEmail without a backtracking-heavy regex, add comments explaining the validation choices, and cover validateUrl, validateEmail, validateRepoName, and validateRequired with edge-case tests.

I will wait for maintainer or GrantFox assignment/confirmation before cloning, implementing, or opening a PR.

[leocagli]

This one looks interesting — I have a clear idea of how to approach it. Please assign me.

[grantfox-oss]

🎉 This issue has been marked as completed on GrantFox as part of the Official Campaign campaign!

@leocagli's PR #215 was approved and merged by @Jagadeeshftw.

🏆 @leocagli: You earned 35 FoxPoints for this contribution! Your current tier: Explorer (646 total points). Track your full progress on GrantFox.

👏 Great work, @leocagli! Keep contributing to Grainlify.