From 6431e9b7b0e97f6319051d42768cc3f90c367c00 Mon Sep 17 00:00:00 2001 From: Mauricio Siu <47042324+Siumauricio@users.noreply.github.com> Date: Tue, 30 Jun 2026 16:19:22 -0600 Subject: [PATCH] fix(validation): allow hashtag in git branch names (#4714) Branch names containing '#' (e.g. feat#123) were rejected by VALID_BRANCH_REGEX when saving a git provider configuration, even though '#' is a legal git ref character. Add '#' to the allowed character set. The change propagates to the backend zod schemas and all provider UI forms, since they share this constant. '#' is not a shell injection vector: the regex still rejects every character needed to terminate a command (; | & $ ( ) ` newline space quotes), and '#' only starts a shell comment at the beginning of a word, never mid-argument as in 'git clone --branch feat#123'. Fixes #4585 --- packages/server/src/utils/git-branch-validation.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/server/src/utils/git-branch-validation.ts b/packages/server/src/utils/git-branch-validation.ts index 71451390d..43b69fd16 100644 --- a/packages/server/src/utils/git-branch-validation.ts +++ b/packages/server/src/utils/git-branch-validation.ts @@ -1,3 +1,3 @@ // Valid git branch names per git-check-ref-format rules. // Rejects shell metacharacters that would enable command injection. -export const VALID_BRANCH_REGEX = /^[a-zA-Z0-9._\-/]+$/; +export const VALID_BRANCH_REGEX = /^[a-zA-Z0-9._\-/#]+$/;