Skip to content

[Copilot AI] Branch refs from MR metadata not re-validated before git commands #14

Open
Open
[Copilot AI] Branch refs from MR metadata not re-validated before git commands#14
Labels
P3-lowNice-to-have improvementscopilot-aiIdentified by Copilot AI agentmcp-serverMCP server (omniforge_mcp_server.py)validationInput validation issues
@nexiouscaliver

Description

@nexiouscaliver
nexiouscaliver
opened on Apr 5, 2026

Problem

At omniforge_mcp_server.py:250-255, source/target branch names from MR metadata are used directly in git commands without calling validate_branch_name().

Assessment

Downgraded from Copilot's Medium to P3-low because:

  • Branch names come from GitLab API (trusted source)
  • run_exec uses list args (no shell injection risk)
  • Risk is limited to confusing git errors on malformed refs

Fix Direction

Call validate_branch_name() on both branches before use.

Acceptance Criteria

  • Validate source/target branches from metadata
  • Return structured error on invalid refs

Identified by Copilot AI agent. Re-rated: Medium -> P3-low (trusted source, no injection risk).

Metadata

Metadata

Assignees

No one assigned

    Labels

    P3-lowNice-to-have improvementscopilot-aiIdentified by Copilot AI agentmcp-serverMCP server (omniforge_mcp_server.py)validationInput validation issues

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions