@link-assistant/hive-mind 1.35.11 → 1.35.12

package/CHANGELOG.md

@@ -1,5 +1,17 @@
 # @link-assistant/hive-mind
 
+## 1.35.12
+
+### Patch Changes
+
+- 05a72c3: fix: reject URLs and invalid git branch names used as --base-branch (Issue #1482)
+  - Add `validateBranchName()` function to `solve.branch.lib.mjs` that validates branch names against git-check-ref-format rules
+  - Reject URLs (https://, http://, git@, ssh://) passed as --base-branch with clear error message
+  - Reject invalid git ref characters (spaces, ~, ^, :, ?, \*, [, ], \, control chars, .., @{)
+  - Add validation in `solve.config.lib.mjs` parseArguments (early catch), `solve.branch.lib.mjs` createOrCheckoutBranch (defense-in-depth), and `hive.mjs` (before forwarding to solve)
+  - Add 19 test cases in `tests/test-base-branch-validation.mjs`
+  - Add case study documentation in `docs/case-studies/issue-1482/`
+
 ## 1.35.11
 
 ### Patch Changes

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@link-assistant/hive-mind",
-  "version": "1.35.11",
+  "version": "1.35.12",
   "description": "AI-powered issue solver and hive mind for collaborative problem solving",
   "main": "src/hive.mjs",
   "type": "module",

package/src/hive.mjs

@@ -766,8 +766,16 @@ if (isDirectExecution) {
             const kebabToCamel = str => str.replace(/-([a-z])/g, (_, c) => c.toUpperCase());
             const args = [issueUrl, '--model', argv.model];
             // Special handling for options with different semantics in hive vs solve
-            if (argv.baseBranch) args.push('--base-branch', argv.baseBranch);
-            else if (argv.targetBranch) args.push('--base-branch', argv.targetBranch);
+            // Validate branch name before forwarding (issue #1482: reject URLs used as branch names)
+            const branchValue = argv.baseBranch || argv.targetBranch;
+            if (branchValue) {
+              const { validateBranchName } = await import('./solve.branch.lib.mjs');
+              const branchValidation = validateBranchName(branchValue);
+              if (!branchValidation.valid) {
+                throw new Error(`Invalid branch name for --base-branch/--target-branch: ${branchValidation.reason}`);
+              }
+              args.push('--base-branch', branchValue);
+            }
             if (argv.skipToolConnectionCheck || argv.toolConnectionCheck === false) args.push('--skip-tool-connection-check');
             if (argv.dryRun) args.push('--dry-run');
             if (argv.autoCleanup) args.push('--auto-cleanup'); // hive default differs from solve's auto-detect default

package/src/solve.branch.lib.mjs

@@ -100,6 +100,93 @@ export function detectBranchFormat(branchName) {
   return null;
 }
 
+/**
+ * Validates a branch name for use as --base-branch.
+ * Rejects URLs, invalid git ref characters, and enforces safe naming conventions.
+ * Based on git-check-ref-format rules: https://git-scm.com/docs/git-check-ref-format
+ *
+ * @param {string} branchName - The branch name to validate
+ * @returns {{ valid: boolean, reason?: string }} Validation result
+ */
+export function validateBranchName(branchName) {
+  if (!branchName || typeof branchName !== 'string') {
+    return { valid: false, reason: 'Branch name must be a non-empty string' };
+  }
+
+  const trimmed = branchName.trim();
+  if (trimmed !== branchName) {
+    return { valid: false, reason: 'Branch name must not have leading or trailing whitespace' };
+  }
+
+  // Reject URLs (the primary use case from issue #1482)
+  if (/^https?:\/\//i.test(branchName) || /^git@/i.test(branchName) || /^ssh:\/\//i.test(branchName)) {
+    return { valid: false, reason: `"${branchName}" looks like a URL, not a branch name. Use just the branch name (e.g. "main", "develop")` };
+  }
+
+  // Reject if it contains :// anywhere (catches other protocol-like URLs)
+  if (branchName.includes('://')) {
+    return { valid: false, reason: `"${branchName}" contains "://" which is not valid in a branch name` };
+  }
+
+  // Git ref format rules:
+  // Cannot contain ASCII control characters (bytes < 0x20) or DEL (0x7F)
+  // eslint-disable-next-line no-control-regex
+  if (/[\x00-\x1f\x7f]/.test(branchName)) {
+    return { valid: false, reason: 'Branch name must not contain control characters' };
+  }
+
+  // Cannot contain space, ~, ^, :, ?, *, [, or backslash
+  if (/[ ~^:?*[\]\\]/.test(branchName)) {
+    return { valid: false, reason: 'Branch name contains invalid characters (spaces, ~, ^, :, ?, *, [, ] or \\ are not allowed)' };
+  }
+
+  // Cannot contain ..
+  if (branchName.includes('..')) {
+    return { valid: false, reason: 'Branch name must not contain ".."' };
+  }
+
+  // Cannot start with . or -
+  if (branchName.startsWith('.') || branchName.startsWith('-')) {
+    return { valid: false, reason: 'Branch name must not start with "." or "-"' };
+  }
+
+  // Cannot end with . or .lock
+  if (branchName.endsWith('.') || branchName.endsWith('.lock')) {
+    return { valid: false, reason: 'Branch name must not end with "." or ".lock"' };
+  }
+
+  // Cannot contain @{
+  if (branchName.includes('@{')) {
+    return { valid: false, reason: 'Branch name must not contain "@{"' };
+  }
+
+  // Cannot be exactly @
+  if (branchName === '@') {
+    return { valid: false, reason: 'Branch name must not be "@"' };
+  }
+
+  // Component-level checks: no component can start with . or end with .lock
+  const components = branchName.split('/');
+  for (const component of components) {
+    if (component === '') {
+      return { valid: false, reason: 'Branch name must not contain consecutive slashes or start/end with "/"' };
+    }
+    if (component.startsWith('.')) {
+      return { valid: false, reason: `Branch name component "${component}" must not start with "."` };
+    }
+    if (component.endsWith('.lock')) {
+      return { valid: false, reason: `Branch name component "${component}" must not end with ".lock"` };
+    }
+  }
+
+  // Reasonable length limit
+  if (branchName.length > 255) {
+    return { valid: false, reason: 'Branch name must not exceed 255 characters' };
+  }
+
+  return { valid: true };
+}
+
 export async function createOrCheckoutBranch({ isContinueMode, prBranch, issueNumber, tempDir, defaultBranch, argv, log, formatAligned, $, crypto, owner, repo, prNumber }) {
   // Create a branch for the issue or checkout existing PR branch
   let branchName;
@@ -120,6 +207,13 @@ export async function createOrCheckoutBranch({ isContinueMode, prBranch, issueNu
     // Use user-specified base branch if provided, otherwise use repository default
     const baseBranch = argv.baseBranch || defaultBranch;
     const branchSource = argv.baseBranch ? 'custom' : 'default';
+
+    // Defense-in-depth: validate base branch name even if already validated at CLI parsing (issue #1482)
+    const baseBranchValidation = validateBranchName(baseBranch);
+    if (!baseBranchValidation.valid) {
+      throw new Error(`Invalid base branch "${baseBranch}": ${baseBranchValidation.reason}`);
+    }
+
     await log(`\n${formatAligned('🌿', 'Creating branch:', `${branchName} from ${baseBranch} (${branchSource})`)}`);
 
     // IMPORTANT: Don't use 2>&1 here as it can interfere with exit codes

package/src/solve.config.lib.mjs

@@ -9,6 +9,7 @@
 
 import { enhanceErrorMessage, detectMalformedFlags } from './option-suggestions.lib.mjs';
 import { defaultModels, buildModelOptionDescription } from './models/index.mjs';
+import { validateBranchName } from './solve.branch.lib.mjs';
 
 // Re-export for use by telegram-bot.mjs (avoids extra import lines there)
 export { detectMalformedFlags };
@@ -563,6 +564,14 @@ export const parseArguments = async (yargs, hideBin) => {
     }
   }
 
+  // Validate --base-branch value (issue #1482: reject URLs and invalid git branch names)
+  if (argv.baseBranch) {
+    const branchValidation = validateBranchName(argv.baseBranch);
+    if (!branchValidation.valid) {
+      throw new Error(`Invalid --base-branch value: ${branchValidation.reason}`);
+    }
+  }
+
   if (argv.tool && !modelExplicitlyProvided && defaultModels[argv.tool]) {
     // User did not explicitly provide --model, so use the correct default for the tool
     // (Issue #1473: centralized in models/index.mjs)