From 7e48f1a9e0d89ca7d300e78e86e610cd0ab1c2f3 Mon Sep 17 00:00:00 2001
From: Abhimanyu Saharan <desk.abhimanyu@gmail.com>
Date: Fri, 13 Feb 2026 23:00:46 +0000
Subject: [PATCH] fix(skills): sanitize git-derived branch names

---
 backend/app/api/skills_marketplace.py | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/backend/app/api/skills_marketplace.py b/backend/app/api/skills_marketplace.py
index 46c877b4..75edab7b 100644
--- a/backend/app/api/skills_marketplace.py
+++ b/backend/app/api/skills_marketplace.py
@@ -12,6 +12,8 @@ from typing import TYPE_CHECKING
 from urllib.parse import unquote, urlparse
 from uuid import UUID
 
+import re
+
 from fastapi import APIRouter, Depends, HTTPException, Query, status
 from sqlmodel import col
 
@@ -49,6 +51,7 @@ GATEWAY_ID_QUERY = Query(...)
 ALLOWED_PACK_SOURCE_SCHEMES = {"https"}
 GIT_CLONE_TIMEOUT_SECONDS = 30
 GIT_REV_PARSE_TIMEOUT_SECONDS = 10
+BRANCH_NAME_ALLOWED_RE = r"^[A-Za-z0-9._/\-]+$"
 
 
 @dataclass(frozen=True)
@@ -413,6 +416,9 @@ def _collect_pack_skills(source_url: str) -> list[PackSkillCandidate]:
         if any(ch in branch for ch in {"\n", "\r", "\t"}):
             branch = "main"
 
+        if not re.match(BRANCH_NAME_ALLOWED_RE, branch):
+            branch = "main"
+
         return _collect_pack_skills_from_repo(
             repo_dir=repo_dir,
             source_url=source_url,