Validate git refs before constructing archive URL#235
Conversation
|
🎉 Thank you @saitejasviputta for submitting a Pull Request! We're excited to review your contribution. Before Review✅ Ensure all CI checks pass ⚡ Want faster reviews and contributor support? Join our Discord community: 🔗 https://discord.gg/FcXuyw2Rs Maintainers and mentors are active there and can help resolve blockers quickly. Happy Contributing! 🚀 |
4da4771 to
fd78cb1
Compare
|
✅ PR template check passed! @arpit2006 this PR is ready for your review. 🚀 |
1 similar comment
|
✅ PR template check passed! @arpit2006 this PR is ready for your review. 🚀 |
fd78cb1 to
b2d2c65
Compare
|
✅ PR template check passed! @arpit2006 this PR is ready for your review. 🚀 |
|
✅ PR template check passed! @arpit2006 this PR is ready for your review. 🚀 |
|
Hello @arpit2006, I tried by best to clear those CI fails. Please review it again. If it still fails I will try a different approach. |
arpit2006
left a comment
There was a problem hiding this comment.
Hi @saitejasviputta ! I won't be able to review this PR today due to other commitments. I'll go through the changes thoroughly tomorrow and, if everything looks good, I'll leave my approval then. Thanks for your patience!
|
✅ PR template check passed! @arpit2006 this PR is ready for your review. 🚀 |
|
Hi @arpit2006, thank you for your patience! I've addressed the CI issue, and the checks are now passing on my latest changes. Please take your time to review it whenever you're available. |
arpit2006
left a comment
There was a problem hiding this comment.
@saitejasviputta !
Thanks for the contribution!
It looks like the required GitHub Actions checks are currently failing, so I won't be able to complete the review or approve the PR just yet.
Could you please investigate and resolve the failing CI checks (particularly the Backend Python 3.10 workflow)? Once the CI is passing, I'll review the changes in detail and proceed with approval if everything looks good.
|
✅ PR template check passed! @arpit2006 this PR is ready for your review. 🚀 |
|
Hi @arpit2006 , |
arpit2006
left a comment
There was a problem hiding this comment.
Review: Approve ✅ — with one requested follow-up
The core fix is correct. validate_git_ref() uses an allowlist regex (^[A-Za-z0-9._/-]+$) which is the right approach — it correctly permits feature/login-style branches while blocking traversal patterns like ../main and ./main. The validation is called before URL construction, and quote(ref, safe="/") encodes it correctly so GitHub receives the expected path format.
One thing I'd ask before merging:
test_scan_url.py has no test cases for the ref parameter at all. The checklist says tests were added "where applicable" — I'd argue they're applicable here. Please add a few parametrized cases, for example:
main→ should passfeature/login→ should pass../main→ should return400-
./main→ should return400
main\hack→ should return400
Minor nit (no blocker): The
forbiddentuple checks for\\(backslash), but the allowlist regex already excludes it — that branch is dead code. Worth a comment or removal for clarity.
Happy to approve once the tests are added. The security intent is solid.
|
@saitejasviputta , All good just solve the minor changes. Once the changes are done PR is ready to APPROVE. |
|
✅ PR template check passed! @arpit2006 this PR is ready for your review. 🚀 |
|
Hello @arpit2006 , |
|
✅ PR template check passed! @arpit2006 this PR is ready for your review. 🚀 |
Linked issue
Closes #227
What this PR does
Adds validation for the user-supplied
refparameter used by the/scan-urlendpoint before constructing the GitHub archive download URL. The change rejects malformed Git references and URL-encodes validated references before generating the archive URL.Type of change
ML tier (if applicable)
Stack affected
Changes
Backend
validate_git_ref()to validate Git reference names using an allowlist.refparameter before constructing the GitHub archive URL.Frontend
New dependencies
Database / schema changes
Testing
How did you test this?
mainandfeature/logincontinue to construct valid archive URLs.../main,./main, and references containing backslashes) return a400 Bad Request.Checklist
console.erroror unhandled Python exceptions introducedrequirements.txt/package.jsonupdated if new dependencies added.pkl,.pt, etc.) are gitignored, not committedAnything reviewers should focus on
Please review the validation rules to ensure they are appropriately restrictive while continuing to support valid Git branch names such as
feature/login.Screenshots (if UI changed)
Not applicable.