Skip to content

Security/url validation#8

Open
cedric-appdirect wants to merge 3 commits into
jgordijn:mainfrom
cedric-appdirect:security/url-validation
Open

Security/url validation#8
cedric-appdirect wants to merge 3 commits into
jgordijn:mainfrom
cedric-appdirect:security/url-validation

Conversation

@cedric-appdirect

Copy link
Copy Markdown

No description provided.

Add url-validator module with two exported functions:

- validateGitUrl: allowlist of URL schemes (https, http, git@, ssh, file),
  leading-dash rejection, control-character rejection, and post-scheme
  authority validation to block ssh://-oProxyCommand attacks.

- validateGitRef: strict character allowlist for branch/tag/SHA refs,
  leading-dash rejection, and range-operator (..) rejection. Excludes
  revision operators (^, ~, {, }, :) that are not ref names.

57 new tests covering valid inputs, flag injection, unsupported schemes,
control characters, SSH authority injection, git@ hostname edge cases,
and git revision operator rejection.

This is groundwork — follow-up PRs wire the validators into the config
schema (PR 2) and git command invocations (PR 3).

Assisted-by: OpenCode with claude-opus-4-7
Wire validateGitUrl and validateGitRef into RepositoryConfigSchema via
Zod .refine() calls. Dangerous URLs (flag injection, unsupported schemes,
SSH authority injection) and refs (flag injection, shell metacharacters,
range operators) are now rejected at config parse time.

9 new test cases covering dangerous URLs and refs at the schema layer.

Assisted-by: OpenCode with claude-opus-4-7
…-- separator

Defense-in-depth against git flag injection:

- git clone: add --no-template to prevent --template= injection which is
  the primary code-execution vector via git hook scripts
- git checkout: add -- separator to prevent ref names starting with '-'
  from being interpreted as git flags

The schema-layer validation (PR 2) is the primary guard; these changes
provide belt-and-braces protection at the invocation layer.

Assisted-by: OpenCode with claude-opus-4-7
Signed-off-by: Cedric BAIL <cedric.bail@appdirect.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant