From 90515fd5957d9a8519431dfd7803d717c39a6d34 Mon Sep 17 00:00:00 2001 From: Mauricio Siu Date: Tue, 30 Jun 2026 16:18:11 -0600 Subject: [PATCH] fix(validation): allow hashtag in git branch names Branch names containing '#' (e.g. feat#123) were rejected by VALID_BRANCH_REGEX when saving a git provider configuration, even though '#' is a legal git ref character. Add '#' to the allowed character set. The change propagates to the backend zod schemas and all provider UI forms, since they share this constant. '#' is not a shell injection vector: the regex still rejects every character needed to terminate a command (; | & $ ( ) ` newline space quotes), and '#' only starts a shell comment at the beginning of a word, never mid-argument as in 'git clone --branch feat#123'. Fixes #4585 --- packages/server/src/utils/git-branch-validation.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/server/src/utils/git-branch-validation.ts b/packages/server/src/utils/git-branch-validation.ts index 71451390d..43b69fd16 100644 --- a/packages/server/src/utils/git-branch-validation.ts +++ b/packages/server/src/utils/git-branch-validation.ts @@ -1,3 +1,3 @@ // Valid git branch names per git-check-ref-format rules. // Rejects shell metacharacters that would enable command injection. -export const VALID_BRANCH_REGEX = /^[a-zA-Z0-9._\-/]+$/; +export const VALID_BRANCH_REGEX = /^[a-zA-Z0-9._\-/#]+$/;