fix(validation): allow hashtag in git branch names (#4714)

Branch names containing '#' (e.g. feat#123) were rejected by
VALID_BRANCH_REGEX when saving a git provider configuration, even
though '#' is a legal git ref character.

Add '#' to the allowed character set. The change propagates to the
backend zod schemas and all provider UI forms, since they share this
constant.

'#' is not a shell injection vector: the regex still rejects every
character needed to terminate a command (; | & $ ( ) ` newline space
quotes), and '#' only starts a shell comment at the beginning of a
word, never mid-argument as in 'git clone --branch feat#123'.

Fixes #4585
This commit is contained in:
Mauricio Siu
2026-06-30 16:19:22 -06:00
committed by GitHub
parent 8d44c6a1e8
commit 6431e9b7b0

View File

@@ -1,3 +1,3 @@
// Valid git branch names per git-check-ref-format rules.
// Rejects shell metacharacters that would enable command injection.
export const VALID_BRANCH_REGEX = /^[a-zA-Z0-9._\-/]+$/;
export const VALID_BRANCH_REGEX = /^[a-zA-Z0-9._\-/#]+$/;