fix: stricter GitHub owner/repo regexes and injection tests

vinta · claude · vinta · commit 1ae889b4fd4c · 2026-03-30T15:03:06.000+08:00
Split _GITHUB_NAME_RE into separate owner and repo patterns.
Owner regex now rejects leading/trailing hyphens and dots (matching
GitHub's actual username rules). Repo regex requires alphanumeric
start but allows dots and underscores anywhere after.

New tests cover GraphQL injection attempts, invalid leading chars,
and valid hyphenated/underscore/dot combinations.

Co-Authored-By: Claude &lt;noreply@anthropic.com&gt;
diff --git a/website/fetch_github_stars.py b/website/fetch_github_stars.py
@@ -19,9 +19,10 @@
 GRAPHQL_URL = "https://api.github.com/graphql"
 BATCH_SIZE = 50
 
-# Allowlist for valid GitHub owner/repo name characters.
-# GitHub usernames and repo names only allow letters, digits, hyphens, underscores, and dots.
-_GITHUB_NAME_RE = re.compile(r"^[a-zA-Z0-9._-]+$")
+# GitHub usernames: alphanumeric and hyphens, must start/end with alphanumeric.
+_GITHUB_OWNER_RE = re.compile(r"^[a-zA-Z0-9](?:[a-zA-Z0-9-]*[a-zA-Z0-9])?$")
+# GitHub repo names: alphanumeric, hyphens, underscores, dots, must start with alphanumeric.
+_GITHUB_NAME_RE = re.compile(r"^[a-zA-Z0-9][a-zA-Z0-9._-]*$")
 
 
 def extract_github_repos(text: str) -> set[str]:
@@ -50,7 +51,7 @@ def build_graphql_query(repos: list[str]) -> str:
     parts = []
     for i, repo in enumerate(repos):
         owner, name = repo.split("/", 1)
-        if not _GITHUB_NAME_RE.match(owner) or not _GITHUB_NAME_RE.match(name):
+        if not _GITHUB_OWNER_RE.match(owner) or not _GITHUB_NAME_RE.match(name):
             continue
         parts.append(
             f'repo_{i}: repository(owner: "{owner}", name: "{name}") '
diff --git a/website/tests/test_fetch_github_stars.py b/website/tests/test_fetch_github_stars.py
@@ -98,6 +98,38 @@ def test_skips_only_bad_repos(self):
         assert "good" in query
         assert "bad" not in query
 
+    def test_skips_graphql_injection_in_owner(self):
+        query = build_graphql_query(['org"){evil}/repo'])
+        assert query == ""
+
+    def test_skips_graphql_injection_in_name(self):
+        query = build_graphql_query(['org/repo"){evil}'])
+        assert query == ""
+
+    def test_skips_owner_starting_with_hyphen(self):
+        query = build_graphql_query(["-bad/repo"])
+        assert query == ""
+
+    def test_skips_owner_starting_with_dot(self):
+        query = build_graphql_query([".bad/repo"])
+        assert query == ""
+
+    def test_skips_repo_starting_with_dot(self):
+        query = build_graphql_query(["org/.hidden"])
+        assert query == ""
+
+    def test_allows_repo_with_dots_and_underscores(self):
+        query = build_graphql_query(["org/my_repo.py"])
+        assert 'name: "my_repo.py"' in query
+
+    def test_allows_hyphenated_owner(self):
+        query = build_graphql_query(["my-org/repo"])
+        assert 'owner: "my-org"' in query
+
+    def test_skips_owner_with_underscore(self):
+        query = build_graphql_query(["bad_owner/repo"])
+        assert query == ""
+
 
 class TestParseGraphqlResponse:
     def test_parses_star_count_and_owner(self):
