gitx.do 0.0.3 → 0.1.0

package/dist/wire/path-security.d.ts

@@ -0,0 +1,157 @@
+/**
+ * @fileoverview Path Security Validation for Wire Protocol
+ *
+ * This module provides security validation for paths and refs received from
+ * clients via the wire protocol. It prevents path traversal attacks and ensures
+ * paths are properly normalized and scoped.
+ *
+ * @module wire/path-security
+ *
+ * ## Security Considerations
+ *
+ * - Prevents path traversal via `../` sequences
+ * - Rejects absolute paths starting with `/` or drive letters
+ * - Normalizes paths to remove redundant separators
+ * - Validates ref names are within allowed namespace
+ * - Blocks null bytes and other control characters
+ *
+ * @example
+ * ```typescript
+ * import { validateRefPath, validateRepositoryId, PathSecurityError } from './path-security'
+ *
+ * try {
+ *   validateRefPath('refs/heads/main')  // OK
+ *   validateRefPath('refs/../../../etc/passwd')  // Throws PathSecurityError
+ * } catch (e) {
+ *   if (e instanceof PathSecurityError) {
+ *     console.error('Security violation:', e.message)
+ *   }
+ * }
+ * ```
+ */
+/**
+ * Error thrown when a path security violation is detected.
+ */
+export declare class PathSecurityError extends Error {
+    readonly code: string;
+    constructor(message: string, code?: string);
+}
+/**
+ * Result of path validation.
+ */
+export interface PathValidationResult {
+    /** Whether the path is valid */
+    valid: boolean;
+    /** Error message if invalid */
+    error?: string;
+    /** Error code if invalid */
+    code?: string;
+    /** Normalized path (if valid) */
+    normalizedPath?: string;
+}
+/**
+ * Check if a path contains path traversal sequences.
+ *
+ * @param path - Path to check
+ * @returns true if path traversal is detected
+ */
+export declare function containsPathTraversal(path: string): boolean;
+/**
+ * Check if a path is absolute.
+ *
+ * @param path - Path to check
+ * @returns true if the path is absolute
+ */
+export declare function isAbsolutePath(path: string): boolean;
+/**
+ * Check if a path contains dangerous characters.
+ *
+ * @param path - Path to check
+ * @returns Object with valid status and optional error
+ */
+export declare function containsDangerousCharacters(path: string): {
+    dangerous: boolean;
+    reason?: string;
+};
+/**
+ * Normalize a path by removing redundant separators and resolving . components.
+ * Does NOT resolve .. components - those should be rejected.
+ *
+ * @param path - Path to normalize
+ * @returns Normalized path
+ */
+export declare function normalizePath(path: string): string;
+/**
+ * Validate a ref path for security issues.
+ *
+ * @description
+ * Validates a Git ref path to ensure it:
+ * - Does not contain path traversal sequences
+ * - Is not an absolute path
+ * - Does not contain dangerous characters
+ * - Starts with a valid ref prefix (refs/, HEAD)
+ *
+ * @param refPath - Ref path to validate
+ * @returns Validation result
+ *
+ * @example
+ * ```typescript
+ * const result = validateRefPath('refs/heads/main')
+ * // result.valid === true
+ *
+ * const badResult = validateRefPath('refs/heads/../../../etc/passwd')
+ * // badResult.valid === false
+ * // badResult.error === 'path traversal detected'
+ * ```
+ */
+export declare function validateRefPath(refPath: string): PathValidationResult;
+/**
+ * Validate a repository identifier for security issues.
+ *
+ * @description
+ * Validates a repository identifier to ensure it:
+ * - Does not contain path traversal sequences
+ * - Is not an absolute path
+ * - Does not contain dangerous characters
+ * - Contains only allowed characters (alphanumeric, dash, underscore, dot, slash)
+ *
+ * @param repoId - Repository identifier to validate
+ * @returns Validation result
+ *
+ * @example
+ * ```typescript
+ * const result = validateRepositoryId('my-org/my-repo')
+ * // result.valid === true
+ *
+ * const badResult = validateRepositoryId('../../../etc/passwd')
+ * // badResult.valid === false
+ * ```
+ */
+export declare function validateRepositoryId(repoId: string): PathValidationResult;
+/**
+ * Validate and sanitize a ref name for security.
+ *
+ * @description
+ * Combines Git ref name validation with security checks.
+ * This should be used in addition to the standard validateRefName function.
+ *
+ * @param refName - Ref name to validate
+ * @throws {PathSecurityError} If security violation detected
+ * @returns Normalized ref name
+ *
+ * @example
+ * ```typescript
+ * const safe = validateSecureRefName('refs/heads/main')  // 'refs/heads/main'
+ * validateSecureRefName('refs/../etc/passwd')  // throws PathSecurityError
+ * ```
+ */
+export declare function validateSecureRefName(refName: string): string;
+/**
+ * Validate and sanitize a repository identifier for security.
+ *
+ * @param repoId - Repository identifier to validate
+ * @throws {PathSecurityError} If security violation detected
+ * @returns Normalized repository identifier
+ */
+export declare function validateSecureRepositoryId(repoId: string): string;
+//# sourceMappingURL=path-security.d.ts.map

package/dist/wire/path-security.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"path-security.d.ts","sourceRoot":"","sources":["../../src/wire/path-security.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AAEH;;GAEG;AACH,qBAAa,iBAAkB,SAAQ,KAAK;IAC1C,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAA;gBAET,OAAO,EAAE,MAAM,EAAE,IAAI,GAAE,MAAkC;CAKtE;AAED;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC,gCAAgC;IAChC,KAAK,EAAE,OAAO,CAAA;IACd,+BAA+B;IAC/B,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,4BAA4B;IAC5B,IAAI,CAAC,EAAE,MAAM,CAAA;IACb,iCAAiC;IACjC,cAAc,CAAC,EAAE,MAAM,CAAA;CACxB;AAkBD;;;;;GAKG;AACH,wBAAgB,qBAAqB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CA0B3D;AAED;;;;;GAKG;AACH,wBAAgB,cAAc,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAcpD;AAED;;;;;GAKG;AACH,wBAAgB,2BAA2B,CAAC,IAAI,EAAE,MAAM,GAAG;IAAE,SAAS,EAAE,OAAO,CAAC;IAAC,MAAM,CAAC,EAAE,MAAM,CAAA;CAAE,CAejG;AAED;;;;;;GAMG;AACH,wBAAgB,aAAa,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAsBlD;AAED;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,MAAM,GAAG,oBAAoB,CAiDrE;AAED;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,wBAAgB,oBAAoB,CAAC,MAAM,EAAE,MAAM,GAAG,oBAAoB,CAuCzE;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,qBAAqB,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAW7D;AAED;;;;;;GAMG;AACH,wBAAgB,0BAA0B,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAWjE"}

package/dist/wire/path-security.js

@@ -0,0 +1,307 @@
+/**
+ * @fileoverview Path Security Validation for Wire Protocol
+ *
+ * This module provides security validation for paths and refs received from
+ * clients via the wire protocol. It prevents path traversal attacks and ensures
+ * paths are properly normalized and scoped.
+ *
+ * @module wire/path-security
+ *
+ * ## Security Considerations
+ *
+ * - Prevents path traversal via `../` sequences
+ * - Rejects absolute paths starting with `/` or drive letters
+ * - Normalizes paths to remove redundant separators
+ * - Validates ref names are within allowed namespace
+ * - Blocks null bytes and other control characters
+ *
+ * @example
+ * ```typescript
+ * import { validateRefPath, validateRepositoryId, PathSecurityError } from './path-security'
+ *
+ * try {
+ *   validateRefPath('refs/heads/main')  // OK
+ *   validateRefPath('refs/../../../etc/passwd')  // Throws PathSecurityError
+ * } catch (e) {
+ *   if (e instanceof PathSecurityError) {
+ *     console.error('Security violation:', e.message)
+ *   }
+ * }
+ * ```
+ */
+/**
+ * Error thrown when a path security violation is detected.
+ */
+export class PathSecurityError extends Error {
+    code;
+    constructor(message, code = 'PATH_SECURITY_VIOLATION') {
+        super(message);
+        this.name = 'PathSecurityError';
+        this.code = code;
+    }
+}
+/**
+ * Check if a path component is a traversal attempt.
+ *
+ * @param component - Path component to check
+ * @returns true if this is a traversal component
+ */
+function isTraversalComponent(component) {
+    // Exact match for ..
+    if (component === '..')
+        return true;
+    // URL-encoded variants
+    if (component === '%2e%2e' || component === '%2E%2E')
+        return true;
+    // Double-URL-encoded
+    if (component === '%252e%252e' || component === '%252E%252E')
+        return true;
+    return false;
+}
+/**
+ * Check if a path contains path traversal sequences.
+ *
+ * @param path - Path to check
+ * @returns true if path traversal is detected
+ */
+export function containsPathTraversal(path) {
+    // Check for null bytes
+    if (path.includes('\0') || path.includes('%00')) {
+        return true;
+    }
+    // Check for literal ..
+    if (path.includes('..')) {
+        return true;
+    }
+    // Check URL-encoded variants (case-insensitive)
+    const lowerPath = path.toLowerCase();
+    if (lowerPath.includes('%2e%2e') || lowerPath.includes('%252e%252e')) {
+        return true;
+    }
+    // Check each component after splitting
+    const components = path.split(/[/\\]/);
+    for (const component of components) {
+        if (isTraversalComponent(component)) {
+            return true;
+        }
+    }
+    return false;
+}
+/**
+ * Check if a path is absolute.
+ *
+ * @param path - Path to check
+ * @returns true if the path is absolute
+ */
+export function isAbsolutePath(path) {
+    // Unix absolute path
+    if (path.startsWith('/'))
+        return true;
+    // Windows absolute path (drive letter)
+    if (/^[a-zA-Z]:[/\\]/.test(path))
+        return true;
+    // Windows UNC path
+    if (path.startsWith('\\\\'))
+        return true;
+    // URL-encoded leading slash
+    if (path.startsWith('%2f') || path.startsWith('%2F'))
+        return true;
+    return false;
+}
+/**
+ * Check if a path contains dangerous characters.
+ *
+ * @param path - Path to check
+ * @returns Object with valid status and optional error
+ */
+export function containsDangerousCharacters(path) {
+    // Null byte
+    if (path.includes('\0')) {
+        return { dangerous: true, reason: 'null byte detected' };
+    }
+    // Control characters (0x00-0x1f except tab/newline, and 0x7f)
+    for (let i = 0; i < path.length; i++) {
+        const code = path.charCodeAt(i);
+        if ((code >= 0 && code < 0x20 && code !== 0x09 && code !== 0x0a) || code === 0x7f) {
+            return { dangerous: true, reason: 'control character detected' };
+        }
+    }
+    return { dangerous: false };
+}
+/**
+ * Normalize a path by removing redundant separators and resolving . components.
+ * Does NOT resolve .. components - those should be rejected.
+ *
+ * @param path - Path to normalize
+ * @returns Normalized path
+ */
+export function normalizePath(path) {
+    // Replace backslashes with forward slashes
+    let normalized = path.replace(/\\/g, '/');
+    // Remove duplicate slashes
+    normalized = normalized.replace(/\/+/g, '/');
+    // Remove trailing slash (unless it's the root)
+    if (normalized.length > 1 && normalized.endsWith('/')) {
+        normalized = normalized.slice(0, -1);
+    }
+    // Remove . components
+    const components = normalized.split('/');
+    const filtered = components.filter(c => c !== '.' && c !== '');
+    // Preserve leading slash if present
+    if (normalized.startsWith('/')) {
+        return '/' + filtered.join('/');
+    }
+    return filtered.join('/') || '.';
+}
+/**
+ * Validate a ref path for security issues.
+ *
+ * @description
+ * Validates a Git ref path to ensure it:
+ * - Does not contain path traversal sequences
+ * - Is not an absolute path
+ * - Does not contain dangerous characters
+ * - Starts with a valid ref prefix (refs/, HEAD)
+ *
+ * @param refPath - Ref path to validate
+ * @returns Validation result
+ *
+ * @example
+ * ```typescript
+ * const result = validateRefPath('refs/heads/main')
+ * // result.valid === true
+ *
+ * const badResult = validateRefPath('refs/heads/../../../etc/passwd')
+ * // badResult.valid === false
+ * // badResult.error === 'path traversal detected'
+ * ```
+ */
+export function validateRefPath(refPath) {
+    // Empty check
+    if (!refPath || refPath.trim() === '') {
+        return { valid: false, error: 'empty ref path', code: 'EMPTY_PATH' };
+    }
+    // Trim whitespace
+    const trimmed = refPath.trim();
+    // Check for dangerous characters
+    const dangerCheck = containsDangerousCharacters(trimmed);
+    if (dangerCheck.dangerous) {
+        return { valid: false, error: dangerCheck.reason, code: 'DANGEROUS_CHARS' };
+    }
+    // Check for path traversal
+    if (containsPathTraversal(trimmed)) {
+        return { valid: false, error: 'path traversal detected', code: 'PATH_TRAVERSAL' };
+    }
+    // Check for absolute path
+    if (isAbsolutePath(trimmed)) {
+        return { valid: false, error: 'absolute path not allowed', code: 'ABSOLUTE_PATH' };
+    }
+    // Validate ref prefix (must start with refs/ or be HEAD)
+    const validPrefixes = ['refs/', 'HEAD'];
+    const hasValidPrefix = validPrefixes.some(prefix => trimmed === prefix.replace(/\/$/, '') || trimmed.startsWith(prefix));
+    if (!hasValidPrefix) {
+        return { valid: false, error: 'invalid ref prefix', code: 'INVALID_PREFIX' };
+    }
+    // Normalize the path
+    const normalized = normalizePath(trimmed);
+    // After normalization, re-check that we still have valid prefix
+    // (normalization shouldn't change valid paths, but double-check)
+    const normalizedHasValidPrefix = validPrefixes.some(prefix => normalized === prefix.replace(/\/$/, '') || normalized.startsWith(prefix));
+    if (!normalizedHasValidPrefix) {
+        return { valid: false, error: 'path escapes ref namespace after normalization', code: 'NAMESPACE_ESCAPE' };
+    }
+    return { valid: true, normalizedPath: normalized };
+}
+/**
+ * Validate a repository identifier for security issues.
+ *
+ * @description
+ * Validates a repository identifier to ensure it:
+ * - Does not contain path traversal sequences
+ * - Is not an absolute path
+ * - Does not contain dangerous characters
+ * - Contains only allowed characters (alphanumeric, dash, underscore, dot, slash)
+ *
+ * @param repoId - Repository identifier to validate
+ * @returns Validation result
+ *
+ * @example
+ * ```typescript
+ * const result = validateRepositoryId('my-org/my-repo')
+ * // result.valid === true
+ *
+ * const badResult = validateRepositoryId('../../../etc/passwd')
+ * // badResult.valid === false
+ * ```
+ */
+export function validateRepositoryId(repoId) {
+    // Empty check
+    if (!repoId || repoId.trim() === '') {
+        return { valid: false, error: 'empty repository identifier', code: 'EMPTY_PATH' };
+    }
+    // Trim whitespace
+    const trimmed = repoId.trim();
+    // Check for dangerous characters
+    const dangerCheck = containsDangerousCharacters(trimmed);
+    if (dangerCheck.dangerous) {
+        return { valid: false, error: dangerCheck.reason, code: 'DANGEROUS_CHARS' };
+    }
+    // Check for path traversal
+    if (containsPathTraversal(trimmed)) {
+        return { valid: false, error: 'path traversal detected', code: 'PATH_TRAVERSAL' };
+    }
+    // Check for absolute path
+    if (isAbsolutePath(trimmed)) {
+        return { valid: false, error: 'absolute path not allowed', code: 'ABSOLUTE_PATH' };
+    }
+    // Validate allowed characters (alphanumeric, dash, underscore, dot, slash)
+    // Also allow .git suffix which is common
+    const allowedPattern = /^[a-zA-Z0-9_\-./]+$/;
+    if (!allowedPattern.test(trimmed)) {
+        return { valid: false, error: 'invalid characters in repository identifier', code: 'INVALID_CHARS' };
+    }
+    // Normalize the path
+    const normalized = normalizePath(trimmed);
+    // Strip .git suffix for consistency
+    const withoutGit = normalized.replace(/\.git\/?$/, '');
+    return { valid: true, normalizedPath: withoutGit || normalized };
+}
+/**
+ * Validate and sanitize a ref name for security.
+ *
+ * @description
+ * Combines Git ref name validation with security checks.
+ * This should be used in addition to the standard validateRefName function.
+ *
+ * @param refName - Ref name to validate
+ * @throws {PathSecurityError} If security violation detected
+ * @returns Normalized ref name
+ *
+ * @example
+ * ```typescript
+ * const safe = validateSecureRefName('refs/heads/main')  // 'refs/heads/main'
+ * validateSecureRefName('refs/../etc/passwd')  // throws PathSecurityError
+ * ```
+ */
+export function validateSecureRefName(refName) {
+    const result = validateRefPath(refName);
+    if (!result.valid) {
+        throw new PathSecurityError(`Invalid ref name: ${result.error}`, result.code);
+    }
+    return result.normalizedPath;
+}
+/**
+ * Validate and sanitize a repository identifier for security.
+ *
+ * @param repoId - Repository identifier to validate
+ * @throws {PathSecurityError} If security violation detected
+ * @returns Normalized repository identifier
+ */
+export function validateSecureRepositoryId(repoId) {
+    const result = validateRepositoryId(repoId);
+    if (!result.valid) {
+        throw new PathSecurityError(`Invalid repository identifier: ${result.error}`, result.code);
+    }
+    return result.normalizedPath;
+}
+//# sourceMappingURL=path-security.js.map

package/dist/wire/path-security.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"path-security.js","sourceRoot":"","sources":["../../src/wire/path-security.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AAEH;;GAEG;AACH,MAAM,OAAO,iBAAkB,SAAQ,KAAK;IACjC,IAAI,CAAQ;IAErB,YAAY,OAAe,EAAE,OAAe,yBAAyB;QACnE,KAAK,CAAC,OAAO,CAAC,CAAA;QACd,IAAI,CAAC,IAAI,GAAG,mBAAmB,CAAA;QAC/B,IAAI,CAAC,IAAI,GAAG,IAAI,CAAA;IAClB,CAAC;CACF;AAgBD;;;;;GAKG;AACH,SAAS,oBAAoB,CAAC,SAAiB;IAC7C,qBAAqB;IACrB,IAAI,SAAS,KAAK,IAAI;QAAE,OAAO,IAAI,CAAA;IACnC,uBAAuB;IACvB,IAAI,SAAS,KAAK,QAAQ,IAAI,SAAS,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAA;IACjE,qBAAqB;IACrB,IAAI,SAAS,KAAK,YAAY,IAAI,SAAS,KAAK,YAAY;QAAE,OAAO,IAAI,CAAA;IACzE,OAAO,KAAK,CAAA;AACd,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,qBAAqB,CAAC,IAAY;IAChD,uBAAuB;IACvB,IAAI,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;QAChD,OAAO,IAAI,CAAA;IACb,CAAC;IAED,uBAAuB;IACvB,IAAI,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QACxB,OAAO,IAAI,CAAA;IACb,CAAC;IAED,gDAAgD;IAChD,MAAM,SAAS,GAAG,IAAI,CAAC,WAAW,EAAE,CAAA;IACpC,IAAI,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,YAAY,CAAC,EAAE,CAAC;QACrE,OAAO,IAAI,CAAA;IACb,CAAC;IAED,uCAAuC;IACvC,MAAM,UAAU,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAA;IACtC,KAAK,MAAM,SAAS,IAAI,UAAU,EAAE,CAAC;QACnC,IAAI,oBAAoB,CAAC,SAAS,CAAC,EAAE,CAAC;YACpC,OAAO,IAAI,CAAA;QACb,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAA;AACd,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,cAAc,CAAC,IAAY;IACzC,qBAAqB;IACrB,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAA;IAErC,uCAAuC;IACvC,IAAI,iBAAiB,CAAC,IAAI,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAA;IAE7C,mBAAmB;IACnB,IAAI,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC;QAAE,OAAO,IAAI,CAAA;IAExC,4BAA4B;IAC5B,IAAI,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,IAAI,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAA;IAEjE,OAAO,KAAK,CAAA;AACd,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,2BAA2B,CAAC,IAAY;IACtD,YAAY;IACZ,IAAI,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QACxB,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,MAAM,EAAE,oBAAoB,EAAE,CAAA;IAC1D,CAAC;IAED,8DAA8D;IAC9D,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACrC,MAAM,IAAI,GAAG,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,CAAA;QAC/B,IAAI,CAAC,IAAI,IAAI,CAAC,IAAI,IAAI,GAAG,IAAI,IAAI,IAAI,KAAK,IAAI,IAAI,IAAI,KAAK,IAAI,CAAC,IAAI,IAAI,KAAK,IAAI,EAAE,CAAC;YAClF,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,MAAM,EAAE,4BAA4B,EAAE,CAAA;QAClE,CAAC;IACH,CAAC;IAED,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,CAAA;AAC7B,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,aAAa,CAAC,IAAY;IACxC,2CAA2C;IAC3C,IAAI,UAAU,GAAG,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAA;IAEzC,2BAA2B;IAC3B,UAAU,GAAG,UAAU,CAAC,OAAO,CAAC,MAAM,EAAE,GAAG,CAAC,CAAA;IAE5C,+CAA+C;IAC/C,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC,IAAI,UAAU,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QACtD,UAAU,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAA;IACtC,CAAC;IAED,sBAAsB;IACtB,MAAM,UAAU,GAAG,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IACxC,MAAM,QAAQ,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,EAAE,CAAC,CAAA;IAE9D,oCAAoC;IACpC,IAAI,UAAU,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QAC/B,OAAO,GAAG,GAAG,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;IACjC,CAAC;IAED,OAAO,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,GAAG,CAAA;AAClC,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,MAAM,UAAU,eAAe,CAAC,OAAe;IAC7C,cAAc;IACd,IAAI,CAAC,OAAO,IAAI,OAAO,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC;QACtC,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,gBAAgB,EAAE,IAAI,EAAE,YAAY,EAAE,CAAA;IACtE,CAAC;IAED,kBAAkB;IAClB,MAAM,OAAO,GAAG,OAAO,CAAC,IAAI,EAAE,CAAA;IAE9B,iCAAiC;IACjC,MAAM,WAAW,GAAG,2BAA2B,CAAC,OAAO,CAAC,CAAA;IACxD,IAAI,WAAW,CAAC,SAAS,EAAE,CAAC;QAC1B,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,WAAW,CAAC,MAAM,EAAE,IAAI,EAAE,iBAAiB,EAAE,CAAA;IAC7E,CAAC;IAED,2BAA2B;IAC3B,IAAI,qBAAqB,CAAC,OAAO,CAAC,EAAE,CAAC;QACnC,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,yBAAyB,EAAE,IAAI,EAAE,gBAAgB,EAAE,CAAA;IACnF,CAAC;IAED,0BAA0B;IAC1B,IAAI,cAAc,CAAC,OAAO,CAAC,EAAE,CAAC;QAC5B,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,2BAA2B,EAAE,IAAI,EAAE,eAAe,EAAE,CAAA;IACpF,CAAC;IAED,yDAAyD;IACzD,MAAM,aAAa,GAAG,CAAC,OAAO,EAAE,MAAM,CAAC,CAAA;IACvC,MAAM,cAAc,GAAG,aAAa,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CACjD,OAAO,KAAK,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,IAAI,OAAO,CAAC,UAAU,CAAC,MAAM,CAAC,CACpE,CAAA;IAED,IAAI,CAAC,cAAc,EAAE,CAAC;QACpB,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,oBAAoB,EAAE,IAAI,EAAE,gBAAgB,EAAE,CAAA;IAC9E,CAAC;IAED,qBAAqB;IACrB,MAAM,UAAU,GAAG,aAAa,CAAC,OAAO,CAAC,CAAA;IAEzC,gEAAgE;IAChE,iEAAiE;IACjE,MAAM,wBAAwB,GAAG,aAAa,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAC3D,UAAU,KAAK,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,IAAI,UAAU,CAAC,UAAU,CAAC,MAAM,CAAC,CAC1E,CAAA;IAED,IAAI,CAAC,wBAAwB,EAAE,CAAC;QAC9B,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,gDAAgD,EAAE,IAAI,EAAE,kBAAkB,EAAE,CAAA;IAC5G,CAAC;IAED,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,cAAc,EAAE,UAAU,EAAE,CAAA;AACpD,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,MAAM,UAAU,oBAAoB,CAAC,MAAc;IACjD,cAAc;IACd,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC;QACpC,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,6BAA6B,EAAE,IAAI,EAAE,YAAY,EAAE,CAAA;IACnF,CAAC;IAED,kBAAkB;IAClB,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,EAAE,CAAA;IAE7B,iCAAiC;IACjC,MAAM,WAAW,GAAG,2BAA2B,CAAC,OAAO,CAAC,CAAA;IACxD,IAAI,WAAW,CAAC,SAAS,EAAE,CAAC;QAC1B,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,WAAW,CAAC,MAAM,EAAE,IAAI,EAAE,iBAAiB,EAAE,CAAA;IAC7E,CAAC;IAED,2BAA2B;IAC3B,IAAI,qBAAqB,CAAC,OAAO,CAAC,EAAE,CAAC;QACnC,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,yBAAyB,EAAE,IAAI,EAAE,gBAAgB,EAAE,CAAA;IACnF,CAAC;IAED,0BAA0B;IAC1B,IAAI,cAAc,CAAC,OAAO,CAAC,EAAE,CAAC;QAC5B,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,2BAA2B,EAAE,IAAI,EAAE,eAAe,EAAE,CAAA;IACpF,CAAC;IAED,2EAA2E;IAC3E,yCAAyC;IACzC,MAAM,cAAc,GAAG,qBAAqB,CAAA;IAC5C,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;QAClC,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,6CAA6C,EAAE,IAAI,EAAE,eAAe,EAAE,CAAA;IACtG,CAAC;IAED,qBAAqB;IACrB,MAAM,UAAU,GAAG,aAAa,CAAC,OAAO,CAAC,CAAA;IAEzC,oCAAoC;IACpC,MAAM,UAAU,GAAG,UAAU,CAAC,OAAO,CAAC,WAAW,EAAE,EAAE,CAAC,CAAA;IAEtD,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,cAAc,EAAE,UAAU,IAAI,UAAU,EAAE,CAAA;AAClE,CAAC;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,UAAU,qBAAqB,CAAC,OAAe;IACnD,MAAM,MAAM,GAAG,eAAe,CAAC,OAAO,CAAC,CAAA;IAEvC,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;QAClB,MAAM,IAAI,iBAAiB,CACzB,qBAAqB,MAAM,CAAC,KAAK,EAAE,EACnC,MAAM,CAAC,IAAI,CACZ,CAAA;IACH,CAAC;IAED,OAAO,MAAM,CAAC,cAAe,CAAA;AAC/B,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,0BAA0B,CAAC,MAAc;IACvD,MAAM,MAAM,GAAG,oBAAoB,CAAC,MAAM,CAAC,CAAA;IAE3C,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;QAClB,MAAM,IAAI,iBAAiB,CACzB,kCAAkC,MAAM,CAAC,KAAK,EAAE,EAChD,MAAM,CAAC,IAAI,CACZ,CAAA;IACH,CAAC;IAED,OAAO,MAAM,CAAC,cAAe,CAAA;AAC/B,CAAC"}

package/dist/wire/receive-pack.d.ts

@@ -696,6 +696,12 @@ export declare function unpackObjects(packfile: Uint8Array, _store: ObjectStore,
  * - Must not end with `.lock`
  * - Components must not start with `.`
  *
+ * Security considerations:
+ * - Prevents path traversal attacks via `../` sequences
+ * - Rejects absolute paths
+ * - Validates ref is within refs/ namespace or is HEAD
+ * - Blocks URL-encoded traversal attempts
+ *
  * @param refName - Ref name to validate
  * @returns true if the ref name is valid
  *
@@ -706,6 +712,7 @@ export declare function unpackObjects(packfile: Uint8Array, _store: ObjectStore,
  * validateRefName('refs/heads/.hidden')   // false (starts with .)
  * validateRefName('refs/heads/a..b')      // false (contains ..)
  * validateRefName('refs/heads/a b')       // false (contains space)
+ * validateRefName('refs/../../../etc/passwd')  // false (path traversal)
  * ```
  */
 export declare function validateRefName(refName: string): boolean;

package/dist/wire/receive-pack.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"receive-pack.d.ts","sourceRoot":"","sources":["../../src/wire/receive-pack.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2CG;AAEH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAA;AAOlD;;;;;;;;;;;;;;;;GAgBG;AACH,eAAO,MAAM,QAAQ,QAAiB,CAAA;AAatC;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,MAAM,WAAW,GAAG;IAClB,8CAA8C;IAC9C,IAAI,EAAE,MAAM,CAAA;IACZ,kDAAkD;IAClD,GAAG,EAAE,MAAM,CAAA;IACX,uDAAuD;IACvD,MAAM,CAAC,EAAE,MAAM,CAAA;CAChB;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,WAAW,uBAAuB;IACtC,4CAA4C;IAC5C,YAAY,CAAC,EAAE,OAAO,CAAA;IACtB,sDAAsD;IACtD,cAAc,CAAC,EAAE,OAAO,CAAA;IACxB,kCAAkC;IAClC,UAAU,CAAC,EAAE,OAAO,CAAA;IACpB,iCAAiC;IACjC,KAAK,CAAC,EAAE,OAAO,CAAA;IACf,4CAA4C;IAC5C,MAAM,CAAC,EAAE,OAAO,CAAA;IAChB,6CAA6C;IAC7C,WAAW,CAAC,EAAE,OAAO,CAAA;IACrB,wCAAwC;IACxC,WAAW,CAAC,EAAE,OAAO,CAAA;IACrB,+CAA+C;IAC/C,QAAQ,CAAC,EAAE,MAAM,CAAA;IACjB,yCAAyC;IACzC,KAAK,CAAC,EAAE,MAAM,CAAA;CACf;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AACH,MAAM,WAAW,gBAAgB;IAC/B,+CAA+C;IAC/C,MAAM,EAAE,MAAM,CAAA;IACd,+CAA+C;IAC/C,MAAM,EAAE,MAAM,CAAA;IACd,8CAA8C;IAC9C,OAAO,EAAE,MAAM,CAAA;IACf,8CAA8C;IAC9C,IAAI,EAAE,QAAQ,GAAG,QAAQ,GAAG,QAAQ,CAAA;IACpC,oDAAoD;IACpD,YAAY,CAAC,EAAE,MAAM,EAAE,CAAA;CACxB;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,WAAW,eAAe;IAC9B,+BAA+B;IAC/B,OAAO,EAAE,MAAM,CAAA;IACf,mCAAmC;IACnC,OAAO,EAAE,OAAO,CAAA;IAChB,qCAAqC;IACrC,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,6CAA6C;IAC7C,SAAS,CAAC,EAAE,MAAM,CAAA;IAClB,wCAAwC;IACxC,SAAS,CAAC,EAAE,MAAM,CAAA;IAClB,yDAAyD;IACzD,MAAM,CAAC,EAAE,OAAO,CAAA;CACjB;AAED;;;;;;GAMG;AACH,MAAM,WAAW,kBAAkB;IACjC,oCAAoC;IACpC,KAAK,EAAE,OAAO,CAAA;IACd,wCAAwC;IACxC,WAAW,CAAC,EAAE,MAAM,CAAA;IACpB,yCAAyC;IACzC,KAAK,CAAC,EAAE,MAAM,CAAA;CACf;AAED;;;;;;;;;GASG;AACH,MAAM,MAAM,kBAAkB,GAAG,aAAa,GAAG,QAAQ,GAAG,cAAc,GAAG,aAAa,CAAA;AAE1F;;;;;;GAMG;AACH,MAAM,WAAW,UAAU;IACzB,iCAAiC;IACjC,OAAO,EAAE,OAAO,CAAA;IAChB,kDAAkD;IAClD,OAAO,CAAC,EAAE,MAAM,CAAA;IAChB,0DAA0D;IAC1D,WAAW,CAAC,EAAE,OAAO,CAAA;IACrB,0DAA0D;IAC1D,WAAW,CAAC,EAAE,OAAO,CAAA;IACrB,uCAAuC;IACvC,OAAO,CAAC,EAAE,eAAe,EAAE,CAAA;CAC5B;AAED;;;;;;;;;;;;;GAaG;AACH,MAAM,WAAW,kBAAkB;IACjC,iDAAiD;IACjD,MAAM,EAAE,MAAM,CAAA;IACd,8BAA8B;IAC9B,YAAY,EAAE,uBAAuB,CAAA;IACrC,sCAAsC;IACtC,QAAQ,EAAE,gBAAgB,EAAE,CAAA;CAC7B;AAED;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,MAAM,WAAW,WAAW;IAC1B;;;;OAIG;IACH,SAAS,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;QAAE,IAAI,EAAE,UAAU,CAAC;QAAC,IAAI,EAAE,UAAU,CAAA;KAAE,GAAG,IAAI,CAAC,CAAA;IAE9E;;;;OAIG;IACH,SAAS,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAA;IAExC;;;;OAIG;IACH,gBAAgB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,CAAA;IAEhD;;;OAGG;IACH,OAAO,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC,CAAA;IAEzB;;;;OAIG;IACH,MAAM,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,GAAG,GAAG,IAAI,CAAC,CAAA;IAEzC;;;;OAIG;IACH,MAAM,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IAEhD;;;OAGG;IACH,SAAS,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IAEtC;;;;;OAKG;IACH,WAAW,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,UAAU,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IAEvE;;;;;OAKG;IACH,UAAU,CAAC,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAA;CACnE;AAED;;;;;;GAMG;AACH,MAAM,WAAW,kBAAkB;IACjC,0BAA0B;IAC1B,QAAQ,EAAE,gBAAgB,EAAE,CAAA;IAC5B,sCAAsC;IACtC,YAAY,EAAE,MAAM,EAAE,CAAA;IACtB,2BAA2B;IAC3B,QAAQ,EAAE,UAAU,CAAA;IACpB,wDAAwD;IACxD,WAAW,EAAE,MAAM,EAAE,CAAA;CACtB;AAED;;;;;GAKG;AACH,MAAM,WAAW,iBAAiB;IAChC,2DAA2D;IAC3D,YAAY,EAAE,MAAM,CAAA;IACpB,kCAAkC;IAClC,UAAU,EAAE,eAAe,EAAE,CAAA;IAC7B,gDAAgD;IAChD,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;CACjC;AAED;;;;;GAKG;AACH,MAAM,WAAW,YAAY;IAC3B,kCAAkC;IAClC,OAAO,EAAE,OAAO,CAAA;IAChB,iCAAiC;IACjC,eAAe,EAAE,MAAM,CAAA;IACvB,+BAA+B;IAC/B,YAAY,EAAE,MAAM,EAAE,CAAA;IACtB,wCAAwC;IACxC,KAAK,CAAC,EAAE,MAAM,CAAA;CACf;AAED;;;;;GAKG;AACH,MAAM,WAAW,qBAAqB;IACpC,kCAAkC;IAClC,OAAO,EAAE,eAAe,EAAE,CAAA;CAC3B;AAED;;;;;;GAMG;AACH,MAAM,WAAW,qBAAqB;IACpC,oCAAoC;IACpC,OAAO,EAAE,OAAO,CAAA;IAChB,2BAA2B;IAC3B,OAAO,EAAE,eAAe,EAAE,CAAA;CAC3B;AAED;;;;;GAKG;AACH,MAAM,WAAW,qBAAqB;IACpC,uCAAuC;IACvC,OAAO,EAAE,OAAO,CAAA;IAChB,4CAA4C;IAC5C,MAAM,CAAC,EAAE,MAAM,CAAA;CAChB;AAED;;;;;GAKG;AACH,MAAM,WAAW,sBAAsB;IACrC,mCAAmC;IACnC,aAAa,CAAC,EAAE,MAAM,EAAE,CAAA;IACxB,oCAAoC;IACpC,kBAAkB,CAAC,EAAE,MAAM,EAAE,CAAA;CAC9B;AAED;;;;;GAKG;AACH,MAAM,WAAW,sBAAsB;IACrC,qCAAqC;IACrC,SAAS,CAAC,EAAE,OAAO,CAAA;CACpB;AAED;;;;;GAKG;AACH,MAAM,WAAW,yBAAyB;IACxC,4BAA4B;IAC5B,cAAc,CAAC,EAAE,OAAO,CAAA;IACxB,2BAA2B;IAC3B,UAAU,CAAC,EAAE,OAAO,CAAA;CACrB;AAED;;;;;GAKG;AACH,MAAM,WAAW,aAAa;IAC5B,4BAA4B;IAC5B,YAAY,CAAC,EAAE,OAAO,CAAA;IACtB,wBAAwB;IACxB,UAAU,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,KAAK,IAAI,CAAA;CACvC;AAED;;;;;GAKG;AACH,MAAM,WAAW,WAAW;IAC1B,8BAA8B;IAC9B,OAAO,CAAC,EAAE,MAAM,CAAA;IAChB,oCAAoC;IACpC,WAAW,CAAC,EAAE,MAAM,EAAE,CAAA;CACvB;AAMD;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,wBAAgB,4BAA4B,CAAC,YAAY,EAAE,uBAAuB,GAAG,MAAM,CAc1F;AAED;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,wBAAgB,wBAAwB,CAAC,UAAU,EAAE,MAAM,GAAG,uBAAuB,CAsBpF;AAMD;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,oBAAoB,CAAC,MAAM,EAAE,MAAM,GAAG,kBAAkB,CAMvE;AAMD;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,wBAAsB,oBAAoB,CACxC,KAAK,EAAE,WAAW,EAClB,YAAY,CAAC,EAAE,uBAAuB,GACrC,OAAO,CAAC,MAAM,CAAC,CAyDjB;AAMD;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AACH,wBAAgB,gBAAgB,CAAC,IAAI,EAAE,MAAM,GAAG,gBAAgB,CA+C/D;AAqCD;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,wBAAgB,uBAAuB,CAAC,IAAI,EAAE,UAAU,GAAG,kBAAkB,CA+E5E;AAMD;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,wBAAsB,gBAAgB,CACpC,QAAQ,EAAE,UAAU,EACpB,OAAO,CAAC,EAAE,yBAAyB,GAClC,OAAO,CAAC,kBAAkB,CAAC,CA4D7B;AAED;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,wBAAsB,aAAa,CACjC,QAAQ,EAAE,UAAU,EACpB,MAAM,EAAE,WAAW,EACnB,OAAO,CAAC,EAAE,aAAa,GACtB,OAAO,CAAC,YAAY,CAAC,CAgDvB;AAMD;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CA0DxD;AAED;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,wBAAsB,mBAAmB,CACvC,MAAM,EAAE,MAAM,EACd,MAAM,EAAE,MAAM,EACd,KAAK,EAAE,WAAW,GACjB,OAAO,CAAC,OAAO,CAAC,CAalB;AAED;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,wBAAsB,mBAAmB,CACvC,OAAO,EAAE,MAAM,EACf,SAAS,EAAE,QAAQ,GAAG,QAAQ,GAAG,QAAQ,GAAG,cAAc,EAC1D,OAAO,EAAE,sBAAsB,GAC9B,OAAO,CAAC,qBAAqB,CAAC,CAwBhC;AAqBD;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AACH,wBAAsB,eAAe,CACnC,OAAO,EAAE,kBAAkB,EAC3B,QAAQ,EAAE,gBAAgB,EAAE,EAC5B,KAAK,EAAE,WAAW,EAClB,OAAO,CAAC,EAAE,sBAAsB,GAC/B,OAAO,CAAC,qBAAqB,CAAC,CA2DhC;AAED;;;;;;;;;;;;;;;GAeG;AACH,wBAAsB,UAAU,CAC9B,QAAQ,EAAE,gBAAgB,EAAE,EAC5B,KAAK,EAAE,WAAW,GACjB,OAAO,CAAC,IAAI,CAAC,CAQf;AAED;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,wBAAsB,eAAe,CACnC,QAAQ,EAAE,gBAAgB,EAAE,EAC5B,KAAK,EAAE,WAAW,GACjB,OAAO,CAAC,qBAAqB,CAAC,CAsDhC;AAMD,KAAK,gBAAgB,GAAG,CACtB,QAAQ,EAAE,gBAAgB,EAAE,EAC5B,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KACxB,OAAO,CAAC,UAAU,CAAC,CAAA;AAExB,KAAK,YAAY,GAAG,CAClB,OAAO,EAAE,MAAM,EACf,MAAM,EAAE,MAAM,EACd,MAAM,EAAE,MAAM,EACd,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KACxB,OAAO,CAAC,UAAU,CAAC,CAAA;AAExB,KAAK,iBAAiB,GAAG,CACvB,QAAQ,EAAE,gBAAgB,EAAE,EAC5B,OAAO,EAAE,eAAe,EAAE,EAC1B,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KACxB,OAAO,CAAC,UAAU,CAAC,CAAA;AAExB,KAAK,gBAAgB,GAAG,CAAC,QAAQ,EAAE,MAAM,EAAE,KAAK,OAAO,CAAC,UAAU,CAAC,CAAA;AAEnE;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,wBAAsB,qBAAqB,CACzC,QAAQ,EAAE,gBAAgB,EAAE,EAC5B,MAAM,EAAE,WAAW,EACnB,MAAM,EAAE,gBAAgB,EACxB,GAAG,GAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAM,EAChC,OAAO,CAAC,EAAE,WAAW,GACpB,OAAO,CAAC,UAAU,CAAC,CAiBrB;AAED;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,wBAAsB,iBAAiB,CACrC,QAAQ,EAAE,gBAAgB,EAAE,EAC5B,MAAM,EAAE,WAAW,EACnB,MAAM,EAAE,YAAY,EACpB,GAAG,GAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAM,GAC/B,OAAO,CAAC;IAAE,OAAO,EAAE,eAAe,EAAE,CAAA;CAAE,CAAC,CAazC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;AACH,wBAAsB,sBAAsB,CAC1C,QAAQ,EAAE,gBAAgB,EAAE,EAC5B,OAAO,EAAE,eAAe,EAAE,EAC1B,MAAM,EAAE,WAAW,EACnB,MAAM,EAAE,iBAAiB,EACzB,OAAO,CAAC,EAAE,WAAW,GACpB,OAAO,CAAC;IAAE,WAAW,EAAE,OAAO,CAAC;IAAC,WAAW,EAAE,OAAO,CAAA;CAAE,CAAC,CAmBzD;AAED;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,wBAAsB,qBAAqB,CACzC,SAAS,EAAE,gBAAgB,EAAE,EAC7B,OAAO,EAAE,eAAe,EAAE,EAC1B,MAAM,EAAE,gBAAgB,GACvB,OAAO,CAAC,IAAI,CAAC,CAQf;AAMD;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,wBAAgB,kBAAkB,CAAC,KAAK,EAAE,iBAAiB,GAAG,MAAM,CAoBnE;AAED;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,wBAAgB,oBAAoB,CAAC,KAAK,EAAE,iBAAiB,GAAG,MAAM,CA+BrE;AAED;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,wBAAgB,UAAU,CACxB,OAAO,EAAE,MAAM,EACf,MAAM,EAAE,MAAM,EACd,OAAO,EAAE;IAAE,YAAY,CAAC,EAAE,OAAO,CAAC;IAAC,QAAQ,CAAC,EAAE,OAAO,CAAA;CAAE,GACtD,MAAM,GAAG,UAAU,CAgBrB;AAMD;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,wBAAsB,iBAAiB,CACrC,OAAO,EAAE,kBAAkB,EAC3B,OAAO,EAAE,UAAU,EACnB,KAAK,EAAE,WAAW,GACjB,OAAO,CAAC,UAAU,CAAC,CA4GrB"}
+{"version":3,"file":"receive-pack.d.ts","sourceRoot":"","sources":["../../src/wire/receive-pack.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2CG;AAEH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAA;AAQlD;;;;;;;;;;;;;;;;GAgBG;AACH,eAAO,MAAM,QAAQ,QAAiB,CAAA;AAatC;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,MAAM,WAAW,GAAG;IAClB,8CAA8C;IAC9C,IAAI,EAAE,MAAM,CAAA;IACZ,kDAAkD;IAClD,GAAG,EAAE,MAAM,CAAA;IACX,uDAAuD;IACvD,MAAM,CAAC,EAAE,MAAM,CAAA;CAChB;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,WAAW,uBAAuB;IACtC,4CAA4C;IAC5C,YAAY,CAAC,EAAE,OAAO,CAAA;IACtB,sDAAsD;IACtD,cAAc,CAAC,EAAE,OAAO,CAAA;IACxB,kCAAkC;IAClC,UAAU,CAAC,EAAE,OAAO,CAAA;IACpB,iCAAiC;IACjC,KAAK,CAAC,EAAE,OAAO,CAAA;IACf,4CAA4C;IAC5C,MAAM,CAAC,EAAE,OAAO,CAAA;IAChB,6CAA6C;IAC7C,WAAW,CAAC,EAAE,OAAO,CAAA;IACrB,wCAAwC;IACxC,WAAW,CAAC,EAAE,OAAO,CAAA;IACrB,+CAA+C;IAC/C,QAAQ,CAAC,EAAE,MAAM,CAAA;IACjB,yCAAyC;IACzC,KAAK,CAAC,EAAE,MAAM,CAAA;CACf;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AACH,MAAM,WAAW,gBAAgB;IAC/B,+CAA+C;IAC/C,MAAM,EAAE,MAAM,CAAA;IACd,+CAA+C;IAC/C,MAAM,EAAE,MAAM,CAAA;IACd,8CAA8C;IAC9C,OAAO,EAAE,MAAM,CAAA;IACf,8CAA8C;IAC9C,IAAI,EAAE,QAAQ,GAAG,QAAQ,GAAG,QAAQ,CAAA;IACpC,oDAAoD;IACpD,YAAY,CAAC,EAAE,MAAM,EAAE,CAAA;CACxB;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,WAAW,eAAe;IAC9B,+BAA+B;IAC/B,OAAO,EAAE,MAAM,CAAA;IACf,mCAAmC;IACnC,OAAO,EAAE,OAAO,CAAA;IAChB,qCAAqC;IACrC,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,6CAA6C;IAC7C,SAAS,CAAC,EAAE,MAAM,CAAA;IAClB,wCAAwC;IACxC,SAAS,CAAC,EAAE,MAAM,CAAA;IAClB,yDAAyD;IACzD,MAAM,CAAC,EAAE,OAAO,CAAA;CACjB;AAED;;;;;;GAMG;AACH,MAAM,WAAW,kBAAkB;IACjC,oCAAoC;IACpC,KAAK,EAAE,OAAO,CAAA;IACd,wCAAwC;IACxC,WAAW,CAAC,EAAE,MAAM,CAAA;IACpB,yCAAyC;IACzC,KAAK,CAAC,EAAE,MAAM,CAAA;CACf;AAED;;;;;;;;;GASG;AACH,MAAM,MAAM,kBAAkB,GAAG,aAAa,GAAG,QAAQ,GAAG,cAAc,GAAG,aAAa,CAAA;AAE1F;;;;;;GAMG;AACH,MAAM,WAAW,UAAU;IACzB,iCAAiC;IACjC,OAAO,EAAE,OAAO,CAAA;IAChB,kDAAkD;IAClD,OAAO,CAAC,EAAE,MAAM,CAAA;IAChB,0DAA0D;IAC1D,WAAW,CAAC,EAAE,OAAO,CAAA;IACrB,0DAA0D;IAC1D,WAAW,CAAC,EAAE,OAAO,CAAA;IACrB,uCAAuC;IACvC,OAAO,CAAC,EAAE,eAAe,EAAE,CAAA;CAC5B;AAED;;;;;;;;;;;;;GAaG;AACH,MAAM,WAAW,kBAAkB;IACjC,iDAAiD;IACjD,MAAM,EAAE,MAAM,CAAA;IACd,8BAA8B;IAC9B,YAAY,EAAE,uBAAuB,CAAA;IACrC,sCAAsC;IACtC,QAAQ,EAAE,gBAAgB,EAAE,CAAA;CAC7B;AAED;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,MAAM,WAAW,WAAW;IAC1B;;;;OAIG;IACH,SAAS,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;QAAE,IAAI,EAAE,UAAU,CAAC;QAAC,IAAI,EAAE,UAAU,CAAA;KAAE,GAAG,IAAI,CAAC,CAAA;IAE9E;;;;OAIG;IACH,SAAS,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAA;IAExC;;;;OAIG;IACH,gBAAgB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,CAAA;IAEhD;;;OAGG;IACH,OAAO,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC,CAAA;IAEzB;;;;OAIG;IACH,MAAM,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,GAAG,GAAG,IAAI,CAAC,CAAA;IAEzC;;;;OAIG;IACH,MAAM,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IAEhD;;;OAGG;IACH,SAAS,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IAEtC;;;;;OAKG;IACH,WAAW,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,UAAU,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IAEvE;;;;;OAKG;IACH,UAAU,CAAC,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAA;CACnE;AAED;;;;;;GAMG;AACH,MAAM,WAAW,kBAAkB;IACjC,0BAA0B;IAC1B,QAAQ,EAAE,gBAAgB,EAAE,CAAA;IAC5B,sCAAsC;IACtC,YAAY,EAAE,MAAM,EAAE,CAAA;IACtB,2BAA2B;IAC3B,QAAQ,EAAE,UAAU,CAAA;IACpB,wDAAwD;IACxD,WAAW,EAAE,MAAM,EAAE,CAAA;CACtB;AAED;;;;;GAKG;AACH,MAAM,WAAW,iBAAiB;IAChC,2DAA2D;IAC3D,YAAY,EAAE,MAAM,CAAA;IACpB,kCAAkC;IAClC,UAAU,EAAE,eAAe,EAAE,CAAA;IAC7B,gDAAgD;IAChD,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;CACjC;AAED;;;;;GAKG;AACH,MAAM,WAAW,YAAY;IAC3B,kCAAkC;IAClC,OAAO,EAAE,OAAO,CAAA;IAChB,iCAAiC;IACjC,eAAe,EAAE,MAAM,CAAA;IACvB,+BAA+B;IAC/B,YAAY,EAAE,MAAM,EAAE,CAAA;IACtB,wCAAwC;IACxC,KAAK,CAAC,EAAE,MAAM,CAAA;CACf;AAED;;;;;GAKG;AACH,MAAM,WAAW,qBAAqB;IACpC,kCAAkC;IAClC,OAAO,EAAE,eAAe,EAAE,CAAA;CAC3B;AAED;;;;;;GAMG;AACH,MAAM,WAAW,qBAAqB;IACpC,oCAAoC;IACpC,OAAO,EAAE,OAAO,CAAA;IAChB,2BAA2B;IAC3B,OAAO,EAAE,eAAe,EAAE,CAAA;CAC3B;AAED;;;;;GAKG;AACH,MAAM,WAAW,qBAAqB;IACpC,uCAAuC;IACvC,OAAO,EAAE,OAAO,CAAA;IAChB,4CAA4C;IAC5C,MAAM,CAAC,EAAE,MAAM,CAAA;CAChB;AAED;;;;;GAKG;AACH,MAAM,WAAW,sBAAsB;IACrC,mCAAmC;IACnC,aAAa,CAAC,EAAE,MAAM,EAAE,CAAA;IACxB,oCAAoC;IACpC,kBAAkB,CAAC,EAAE,MAAM,EAAE,CAAA;CAC9B;AAED;;;;;GAKG;AACH,MAAM,WAAW,sBAAsB;IACrC,qCAAqC;IACrC,SAAS,CAAC,EAAE,OAAO,CAAA;CACpB;AAED;;;;;GAKG;AACH,MAAM,WAAW,yBAAyB;IACxC,4BAA4B;IAC5B,cAAc,CAAC,EAAE,OAAO,CAAA;IACxB,2BAA2B;IAC3B,UAAU,CAAC,EAAE,OAAO,CAAA;CACrB;AAED;;;;;GAKG;AACH,MAAM,WAAW,aAAa;IAC5B,4BAA4B;IAC5B,YAAY,CAAC,EAAE,OAAO,CAAA;IACtB,wBAAwB;IACxB,UAAU,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,KAAK,IAAI,CAAA;CACvC;AAED;;;;;GAKG;AACH,MAAM,WAAW,WAAW;IAC1B,8BAA8B;IAC9B,OAAO,CAAC,EAAE,MAAM,CAAA;IAChB,oCAAoC;IACpC,WAAW,CAAC,EAAE,MAAM,EAAE,CAAA;CACvB;AAMD;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,wBAAgB,4BAA4B,CAAC,YAAY,EAAE,uBAAuB,GAAG,MAAM,CAc1F;AAED;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,wBAAgB,wBAAwB,CAAC,UAAU,EAAE,MAAM,GAAG,uBAAuB,CAsBpF;AAMD;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,oBAAoB,CAAC,MAAM,EAAE,MAAM,GAAG,kBAAkB,CAMvE;AAMD;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,wBAAsB,oBAAoB,CACxC,KAAK,EAAE,WAAW,EAClB,YAAY,CAAC,EAAE,uBAAuB,GACrC,OAAO,CAAC,MAAM,CAAC,CAyDjB;AAMD;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AACH,wBAAgB,gBAAgB,CAAC,IAAI,EAAE,MAAM,GAAG,gBAAgB,CA+C/D;AAqCD;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,wBAAgB,uBAAuB,CAAC,IAAI,EAAE,UAAU,GAAG,kBAAkB,CA+E5E;AAMD;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,wBAAsB,gBAAgB,CACpC,QAAQ,EAAE,UAAU,EACpB,OAAO,CAAC,EAAE,yBAAyB,GAClC,OAAO,CAAC,kBAAkB,CAAC,CA4D7B;AAED;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,wBAAsB,aAAa,CACjC,QAAQ,EAAE,UAAU,EACpB,MAAM,EAAE,WAAW,EACnB,OAAO,CAAC,EAAE,aAAa,GACtB,OAAO,CAAC,YAAY,CAAC,CAgDvB;AAMD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA+BG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAoFxD;AAED;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,wBAAsB,mBAAmB,CACvC,MAAM,EAAE,MAAM,EACd,MAAM,EAAE,MAAM,EACd,KAAK,EAAE,WAAW,GACjB,OAAO,CAAC,OAAO,CAAC,CAalB;AAED;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,wBAAsB,mBAAmB,CACvC,OAAO,EAAE,MAAM,EACf,SAAS,EAAE,QAAQ,GAAG,QAAQ,GAAG,QAAQ,GAAG,cAAc,EAC1D,OAAO,EAAE,sBAAsB,GAC9B,OAAO,CAAC,qBAAqB,CAAC,CAwBhC;AAqBD;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AACH,wBAAsB,eAAe,CACnC,OAAO,EAAE,kBAAkB,EAC3B,QAAQ,EAAE,gBAAgB,EAAE,EAC5B,KAAK,EAAE,WAAW,EAClB,OAAO,CAAC,EAAE,sBAAsB,GAC/B,OAAO,CAAC,qBAAqB,CAAC,CA2DhC;AAED;;;;;;;;;;;;;;;GAeG;AACH,wBAAsB,UAAU,CAC9B,QAAQ,EAAE,gBAAgB,EAAE,EAC5B,KAAK,EAAE,WAAW,GACjB,OAAO,CAAC,IAAI,CAAC,CAQf;AAED;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,wBAAsB,eAAe,CACnC,QAAQ,EAAE,gBAAgB,EAAE,EAC5B,KAAK,EAAE,WAAW,GACjB,OAAO,CAAC,qBAAqB,CAAC,CAsDhC;AAMD,KAAK,gBAAgB,GAAG,CACtB,QAAQ,EAAE,gBAAgB,EAAE,EAC5B,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KACxB,OAAO,CAAC,UAAU,CAAC,CAAA;AAExB,KAAK,YAAY,GAAG,CAClB,OAAO,EAAE,MAAM,EACf,MAAM,EAAE,MAAM,EACd,MAAM,EAAE,MAAM,EACd,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KACxB,OAAO,CAAC,UAAU,CAAC,CAAA;AAExB,KAAK,iBAAiB,GAAG,CACvB,QAAQ,EAAE,gBAAgB,EAAE,EAC5B,OAAO,EAAE,eAAe,EAAE,EAC1B,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KACxB,OAAO,CAAC,UAAU,CAAC,CAAA;AAExB,KAAK,gBAAgB,GAAG,CAAC,QAAQ,EAAE,MAAM,EAAE,KAAK,OAAO,CAAC,UAAU,CAAC,CAAA;AAEnE;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,wBAAsB,qBAAqB,CACzC,QAAQ,EAAE,gBAAgB,EAAE,EAC5B,MAAM,EAAE,WAAW,EACnB,MAAM,EAAE,gBAAgB,EACxB,GAAG,GAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAM,EAChC,OAAO,CAAC,EAAE,WAAW,GACpB,OAAO,CAAC,UAAU,CAAC,CAiBrB;AAED;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,wBAAsB,iBAAiB,CACrC,QAAQ,EAAE,gBAAgB,EAAE,EAC5B,MAAM,EAAE,WAAW,EACnB,MAAM,EAAE,YAAY,EACpB,GAAG,GAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAM,GAC/B,OAAO,CAAC;IAAE,OAAO,EAAE,eAAe,EAAE,CAAA;CAAE,CAAC,CAazC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;AACH,wBAAsB,sBAAsB,CAC1C,QAAQ,EAAE,gBAAgB,EAAE,EAC5B,OAAO,EAAE,eAAe,EAAE,EAC1B,MAAM,EAAE,WAAW,EACnB,MAAM,EAAE,iBAAiB,EACzB,OAAO,CAAC,EAAE,WAAW,GACpB,OAAO,CAAC;IAAE,WAAW,EAAE,OAAO,CAAC;IAAC,WAAW,EAAE,OAAO,CAAA;CAAE,CAAC,CAmBzD;AAED;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,wBAAsB,qBAAqB,CACzC,SAAS,EAAE,gBAAgB,EAAE,EAC7B,OAAO,EAAE,eAAe,EAAE,EAC1B,MAAM,EAAE,gBAAgB,GACvB,OAAO,CAAC,IAAI,CAAC,CAQf;AAMD;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,wBAAgB,kBAAkB,CAAC,KAAK,EAAE,iBAAiB,GAAG,MAAM,CAoBnE;AAED;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,wBAAgB,oBAAoB,CAAC,KAAK,EAAE,iBAAiB,GAAG,MAAM,CA+BrE;AAED;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,wBAAgB,UAAU,CACxB,OAAO,EAAE,MAAM,EACf,MAAM,EAAE,MAAM,EACd,OAAO,EAAE;IAAE,YAAY,CAAC,EAAE,OAAO,CAAC;IAAC,QAAQ,CAAC,EAAE,OAAO,CAAA;CAAE,GACtD,MAAM,GAAG,UAAU,CAgBrB;AAMD;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,wBAAsB,iBAAiB,CACrC,OAAO,EAAE,kBAAkB,EAC3B,OAAO,EAAE,UAAU,EACnB,KAAK,EAAE,WAAW,GACjB,OAAO,CAAC,UAAU,CAAC,CA4GrB"}

package/dist/wire/receive-pack.js

@@ -43,6 +43,7 @@
  * ```
  */
 import { encodePktLine, FLUSH_PKT } from './pkt-line';
+import { containsPathTraversal, isAbsolutePath, containsDangerousCharacters } from './path-security';
 // ============================================================================
 // Constants
 // ============================================================================
@@ -624,6 +625,12 @@ export async function unpackObjects(packfile, _store, options) {
  * - Must not end with `.lock`
  * - Components must not start with `.`
  *
+ * Security considerations:
+ * - Prevents path traversal attacks via `../` sequences
+ * - Rejects absolute paths
+ * - Validates ref is within refs/ namespace or is HEAD
+ * - Blocks URL-encoded traversal attempts
+ *
  * @param refName - Ref name to validate
  * @returns true if the ref name is valid
  *
@@ -634,6 +641,7 @@ export async function unpackObjects(packfile, _store, options) {
  * validateRefName('refs/heads/.hidden')   // false (starts with .)
  * validateRefName('refs/heads/a..b')      // false (contains ..)
  * validateRefName('refs/heads/a b')       // false (contains space)
+ * validateRefName('refs/../../../etc/passwd')  // false (path traversal)
  * ```
  */
 export function validateRefName(refName) {
@@ -641,6 +649,26 @@ export function validateRefName(refName) {
     if (!refName || refName.length === 0) {
         return false;
     }
+    // SECURITY: Check for path traversal attacks
+    if (containsPathTraversal(refName)) {
+        return false;
+    }
+    // SECURITY: Check for absolute paths
+    if (isAbsolutePath(refName)) {
+        return false;
+    }
+    // SECURITY: Check for dangerous characters (null bytes, control chars)
+    const dangerCheck = containsDangerousCharacters(refName);
+    if (dangerCheck.dangerous) {
+        return false;
+    }
+    // SECURITY: Validate ref prefix (must start with refs/ or be HEAD)
+    // This ensures refs can't escape to arbitrary filesystem paths
+    const validPrefixes = ['refs/', 'HEAD'];
+    const hasValidPrefix = validPrefixes.some(prefix => refName === prefix.replace(/\/$/, '') || refName.startsWith(prefix));
+    if (!hasValidPrefix) {
+        return false;
+    }
     // Must not start or end with slash
     if (refName.startsWith('/') || refName.endsWith('/')) {
         return false;
@@ -649,7 +677,7 @@ export function validateRefName(refName) {
     if (refName.includes('//')) {
         return false;
     }
-    // Must not contain double dots
+    // Must not contain double dots (already caught by containsPathTraversal, but explicit)
     if (refName.includes('..')) {
         return false;
     }