yunxiafei/openclaw-mission-control
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(skills): sanitize git-derived branch names

Browse Source
This commit is contained in:
Abhimanyu Saharan
2026-02-13 23:00:46 +00:00
parent 5d03a522b9
commit 7e48f1a9e0
1 changed files with 6 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
backend/app/api/skills_marketplace.py
View File

@@ -12,6 +12,8 @@ from typing import TYPE_CHECKING
from urllib.parse import unquote, urlparse from urllib.parse import unquote, urlparse
from uuid import UUID from uuid import UUID
import re
from fastapi import APIRouter, Depends, HTTPException, Query, status from fastapi import APIRouter, Depends, HTTPException, Query, status
from sqlmodel import col from sqlmodel import col
@@ -49,6 +51,7 @@ GATEWAY_ID_QUERY = Query(...)
ALLOWED_PACK_SOURCE_SCHEMES = {"https"} ALLOWED_PACK_SOURCE_SCHEMES = {"https"}
GIT_CLONE_TIMEOUT_SECONDS = 30 GIT_CLONE_TIMEOUT_SECONDS = 30
GIT_REV_PARSE_TIMEOUT_SECONDS = 10 GIT_REV_PARSE_TIMEOUT_SECONDS = 10
BRANCH_NAME_ALLOWED_RE = r"^[A-Za-z0-9._/\-]+$"
@dataclass(frozen=True) @dataclass(frozen=True)
@@ -413,6 +416,9 @@ def _collect_pack_skills(source_url: str) -> list[PackSkillCandidate]:
if any(ch in branch for ch in {"\n", "\r", "\t"}): if any(ch in branch for ch in {"\n", "\r", "\t"}):
branch = "main" branch = "main"
if not re.match(BRANCH_NAME_ALLOWED_RE, branch):
branch = "main"
return _collect_pack_skills_from_repo( return _collect_pack_skills_from_repo(
repo_dir=repo_dir, repo_dir=repo_dir,
source_url=source_url, source_url=source_url,