internal/handlers/repo_url_validation.go

@@ -17,7 +17,8 @@ var (
 )
 
 // scpLikeRepoRe matches SCP-like git URLs: git@host:path (e.g. git@github.com:user/repo.git).
-var scpLikeRepoRe = regexp.MustCompile(`^[a-zA-Z0-9._-]+@[a-zA-Z0-9._-]+:.+$`)
+// Only the "git" user is allowed, as that is the standard for SSH deploy keys.
+var scpLikeRepoRe = regexp.MustCompile(`^git@[a-zA-Z0-9._-]+:.+$`)
 
 // validateRepoURL checks that the given repository URL is valid and uses an allowed scheme.
 func validateRepoURL(repoURL string) error {
@@ -25,6 +26,11 @@ func validateRepoURL(repoURL string) error {
 		return errRepoURLEmpty
 	}
 
+	// Reject path traversal in any URL format
+	if strings.Contains(repoURL, "..") {
+		return errRepoURLInvalid
+	}
+
 	// Check for SCP-like git URLs first (git@host:path)
 	if scpLikeRepoRe.MatchString(repoURL) {
 		return nil

internal/handlers/repo_url_validation_test.go

@@ -32,6 +32,11 @@ func TestValidateRepoURL(t *testing.T) {
 		{name: "no host https", url: "https:///path", wantErr: true},
 		{name: "no path https", url: "https://github.com", wantErr: true},
 		{name: "no path https trailing slash", url: "https://github.com/", wantErr: true},
+		{name: "SCP-like non-git user", url: "root@github.com:user/repo.git", wantErr: true},
+		{name: "SCP-like arbitrary user", url: "admin@github.com:user/repo.git", wantErr: true},
+		{name: "path traversal SCP", url: "git@github.com:../../etc/passwd", wantErr: true},
+		{name: "path traversal https", url: "https://github.com/user/../../../etc/passwd", wantErr: true},
+		{name: "path traversal in middle", url: "https://github.com/user/repo/../secret", wantErr: true},
 	}
 
 	for _, tc := range tests {