fix: restrict SCP-like URLs to git user only and reject path traversal

- Changed SCP regex to only accept 'git' as the username
- Added path traversal check: reject URLs containing '..'
- Added test cases for non-git users and path traversal

internal/handlers/repo_url_validation.go

@@ -17,7 +17,8 @@ var (
 )
 
 // scpLikeRepoRe matches SCP-like git URLs: git@host:path (e.g. git@github.com:user/repo.git).
-var scpLikeRepoRe = regexp.MustCompile(`^[a-zA-Z0-9._-]+@[a-zA-Z0-9._-]+:.+$`)
+// Only the "git" user is allowed, as that is the standard for SSH deploy keys.
+var scpLikeRepoRe = regexp.MustCompile(`^git@[a-zA-Z0-9._-]+:.+$`)
 
 // validateRepoURL checks that the given repository URL is valid and uses an allowed scheme.
 func validateRepoURL(repoURL string) error {
@@ -25,6 +26,11 @@ func validateRepoURL(repoURL string) error {
 		return errRepoURLEmpty
 	}
 
+	// Reject path traversal in any URL format
+	if strings.Contains(repoURL, "..") {
+		return errRepoURLInvalid
+	}
+
 	// Check for SCP-like git URLs first (git@host:path)
 	if scpLikeRepoRe.MatchString(repoURL) {
 		return nil