From 8cdb9b4e5eb6d683c264e72713fbee7447c46648 Mon Sep 17 00:00:00 2001
From: wangdachui-bot <wangdachui@mininglamp.com>
Date: Sun, 17 May 2026 21:53:03 +0800
Subject: [PATCH] fix: tighten require_repo_name and add issue.user null guard
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

O1 — require_repo_name() now rejects '.' and '..' and requires a
leading alphanumeric, making path-traversal impossible by construction.

O5 — issue-welcome.yml guards against null issue.user (ghost/deleted
accounts) before reading issue.user.type.

Follow-up to #19 (merged).
---
 .github/workflows/issue-welcome.yml   | 3 ++-
 .github/workflows/octo-ci-status.yml  | 2 +-
 .github/workflows/octo-issue-feed.yml | 2 +-
 .github/workflows/octo-pr-feed.yml    | 2 +-
 4 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/issue-welcome.yml b/.github/workflows/issue-welcome.yml
index e40c11a..16e2651 100644
--- a/.github/workflows/issue-welcome.yml
+++ b/.github/workflows/issue-welcome.yml
@@ -24,7 +24,8 @@ jobs:
               return;
             }
             // Skip bot-opened issues (Dependabot, etc.)
-            if (issue.user.type === 'Bot') {
+            // Guard against ghost/deleted user accounts where issue.user may be null
+            if (issue.user && issue.user.type === 'Bot') {
               console.log('Skipping bot-opened issue');
               return;
             }
diff --git a/.github/workflows/octo-ci-status.yml b/.github/workflows/octo-ci-status.yml
index f7f94b0..fb74086 100644
--- a/.github/workflows/octo-ci-status.yml
+++ b/.github/workflows/octo-ci-status.yml
@@ -82,7 +82,7 @@ jobs:
           def require_repo_name(name):
               """Validate repo name to prevent path traversal in GitHub API URLs."""
               val = require_env(name)
-              if not re.fullmatch(r'[A-Za-z0-9._-]{1,100}', val):
+              if not re.fullmatch(r'[A-Za-z0-9][A-Za-z0-9._-]{0,99}', val) or val in {'.', '..'}:
                   print(f'ERROR: {name} contains invalid characters: {val!r}')
                   sys.exit(2)
               return val
diff --git a/.github/workflows/octo-issue-feed.yml b/.github/workflows/octo-issue-feed.yml
index b4a9f5d..9602a9e 100644
--- a/.github/workflows/octo-issue-feed.yml
+++ b/.github/workflows/octo-issue-feed.yml
@@ -90,7 +90,7 @@ jobs:
           def require_repo_name(name):
               """Validate repo name to prevent path traversal in GitHub API URLs."""
               val = require_env(name)
-              if not re.fullmatch(r'[A-Za-z0-9._-]{1,100}', val):
+              if not re.fullmatch(r'[A-Za-z0-9][A-Za-z0-9._-]{0,99}', val) or val in {'.', '..'}:
                   print(f'ERROR: {name} contains invalid characters: {val!r}')
                   sys.exit(2)
               return val
diff --git a/.github/workflows/octo-pr-feed.yml b/.github/workflows/octo-pr-feed.yml
index 75afaa3..9f3cf05 100644
--- a/.github/workflows/octo-pr-feed.yml
+++ b/.github/workflows/octo-pr-feed.yml
@@ -107,7 +107,7 @@ jobs:
           def require_repo_name(name):
               """Validate repo name to prevent path traversal in GitHub API URLs."""
               val = require_env(name)
-              if not re.fullmatch(r'[A-Za-z0-9._-]{1,100}', val):
+              if not re.fullmatch(r'[A-Za-z0-9][A-Za-z0-9._-]{0,99}', val) or val in {'.', '..'}:
                   print(f'ERROR: {name} contains invalid characters: {val!r}')
                   sys.exit(2)
               return val