actions/claude-code-action
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: allow # in branch names for PR checkout and base restore (#1167)

Browse Source 
`validateBranchName` used a strict whitelist that excluded `#`,
causing the action to fail on PRs from branches like `put-back-arm64-#2`
with "Invalid branch name" — even though the branch already exists in
git and `#` is permitted by git-check-ref-format.

The validation was designed to prevent command injection. However, every
git call in the action uses `execFileSync`, which bypasses the shell
entirely and passes arguments directly to the kernel's execve. There is
no shell to interpret `#` as a metacharacter, so the strict whitelist was
over-blocking valid names with no security benefit.

Add `#` to the whitelist pattern, and update the JSDoc and error message
to reflect the allowed character set.

Fixes #1137.

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Max Flanagan 2026-04-04 23:17:46 -04:00 committed by GitHub
parent d5db8208f9
commit b15d4751a6
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 13 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
src/github/operations/branch.ts
View File

@ -28,7 +28,7 @@ function extractFirstLabel(githubData: FetchDataResult): string | undefined {
*
* Valid branch names:
* - Start with alphanumeric character (not dash, to prevent option injection)
* - Contain only alphanumeric, forward slash, hyphen, underscore, or period
* - Contain only alphanumeric, forward slash, hyphen, underscore, period, or hash (#)
* - Do not start or end with a period
* - Do not end with a slash
* - Do not contain '..' (path traversal)
@ -58,12 +58,14 @@ export function validateBranchName(branchName: string): void {
);
}
// Strict whitelist pattern: alphanumeric start, then alphanumeric/slash/hyphen/underscore/period
const validPattern = /^[a-zA-Z0-9][a-zA-Z0-9/_.-]*$/;
// Strict whitelist pattern: alphanumeric start, then alphanumeric/slash/hyphen/underscore/period/hash.
// # is valid per git-check-ref-format and commonly used in branch names like "fix/#123-description".
// All git calls use execFileSync (not shell interpolation), so # carries no injection risk.
const validPattern = /^[a-zA-Z0-9][a-zA-Z0-9/_.#-]*$/;
if (!validPattern.test(branchName)) {
throw new Error(
`Invalid branch name: "${branchName}". Branch names must start with an alphanumeric character and contain only alphanumeric characters, forward slashes, hyphens, underscores, or periods.`,
`Invalid branch name: "${branchName}". Branch names must start with an alphanumeric character and contain only alphanumeric characters, forward slashes, hyphens, underscores, periods, or hashes (#).`,
);
}

7
test/validate-branch-name.test.ts
View File

@ -36,6 +36,13 @@ describe("validateBranchName", () => {
expect(() => validateBranchName("refs/heads/main")).not.toThrow();
expect(() => validateBranchName("bugfix/JIRA-1234")).not.toThrow();
});
it("should accept branch names containing # (git-valid, common in issue-linked branches)", () => {
// Reported in #1137: branches like "put-back-arm64-#2" were rejected
expect(() => validateBranchName("put-back-arm64-#2")).not.toThrow();
expect(() => validateBranchName("feature/#123-description")).not.toThrow();
expect(() => validateBranchName("fix/issue-#42")).not.toThrow();
});
});
describe("command injection attempts", () => {