fix: validate repo parameter before cache and GitHub API calls

[Ridanshi]

Closes #1700

Problem

GET /api/metrics/repo-analytics accepted arbitrary values for the ?repo= query parameter and interpolated them directly into GitHub API URL paths and cache keys with no format validation:

GET /api/metrics/repo-analytics?repo=octocat/Hello-World/issues

would silently construct and call:

GET https://api.github.com/repos/octocat/Hello-World/issues
GET https://api.github.com/repos/octocat/Hello-World/issues/contributors
GET https://api.github.com/repos/octocat/Hello-World/issues/languages
GET https://api.github.com/repos/octocat/Hello-World/issues/stats/commit_activity

These are entirely different GitHub API endpoints (issue lists, not repository metadata). The only guard was if (!repoParam), which passes for any non-empty string.

Consequences confirmed by code reading:

1. Extra path segments reach unintended GitHub API endpoints (the reported case: owner/repo/issues)
2. Path traversal patterns such as owner/.. are accepted and forwarded
3. Cache pollution: the raw value lands in the cache key (repo-analytics-${repoParam}), so malformed inputs create permanent cache entries for non-existent resources
4. Unnecessary rate-limit consumption: GitHub API quota is spent on requests that will always fail or return wrong data

Root cause

Three lines in src/app/api/metrics/repo-analytics/route.ts:

// Line 23 — raw input in cache key
const key = metricsCacheKey(…, `repo-analytics-${repoParam}` as any, …);

// Lines 27, 34, 40, 57 — raw input in URL paths
fetch(`${GITHUB_API}/repos/${repoParam}`, …)
fetch(`${GITHUB_API}/repos/${repoParam}/contributors?per_page=10`, …)
fetch(`${GITHUB_API}/repos/${repoParam}/languages`, …)
fetch(`${GITHUB_API}/repos/${repoParam}/stats/commit_activity`, …)

Fix

src/app/api/metrics/repo-analytics/route.ts

Introduces parseRepoParam(raw) — validates the raw string against a strict regex before any other processing:

REPO_IDENTIFIER_RE = /^([a-zA-Z0-9](?:[a-zA-Z0-9-]{0,37}[a-zA-Z0-9])?)\/([a-zA-Z0-9._-]{1,100})$/

Rules enforced:

• owner: 1–39 chars, alphanumeric + hyphens, cannot start or end with a hyphen (mirrors GitHub's account name rules)
• repo: 1–100 chars, alphanumeric, dots, hyphens, underscores
• Exactly one slash between them — any extra segment is rejected
• . and .. are explicitly excluded as repo names even though they match the character set

On validation failure → 400 Bad Request is returned immediately, before the cache key is computed or any fetch() is called.

GitHub API URLs are then built from encodeURIComponent(owner)/encodeURIComponent(repo) so each path segment is individually URL-safe.

Request lifecycle (after fix)

Request arrives
  → parseRepoParam()  ← new validation gate
      ├── invalid  →  400 (no cache key, no fetch)
      └── valid    →  metricsCacheKey()  →  withMetricsCache()  →  fetch()

Tests

test/repo-analytics-validation.test.ts — 37 new tests:

Category	Cases
Valid inputs	Standard, single-char, max-length owner (39), max-length repo (100), dots, hyphens, underscores, whitespace trimming
Missing segments	No slash, empty string, whitespace-only, trailing slash, leading slash
Extra path segments (regression)	Three-segment path (owner/repo/issues), four-segment path
Path traversal	owner/.., owner/., ../../../admin, double leading slash
Invalid characters	Spaces, @, ?, null bytes
Length violations	Owner 40 chars, repo 101 chars
Hyphen rules	Owner starts with hyphen, owner ends with hyphen
Route 401/400 integration	No session, missing param, each malformed category
Fetch/cache not called	All 400 paths confirmed to skip fetch() and withMetricsCache()
Valid path proceeds	withMetricsCache is called; cache key uses validated, trimmed form
Cache key correctness	Raw whitespace-padded input maps to the same clean cache key

All 37 pass. The one pre-existing failure in test/dateUtils.test.ts (timezone boundary) is unrelated to this change.

[vercel]

@Ridanshi is attempting to deploy a commit to the PRIYANSHU DOSHI's projects Team on Vercel.

A member of the Team first needs to authorize it.

[github-actions]

GSSoC Label Checklist 🏷️

@Priyanshu-byte-coder — please apply the appropriate labels before merging:

Difficulty (pick one):

• level:beginner — 20 pts
• level:intermediate — 35 pts
• level:advanced — 55 pts
• level:critical — 80 pts

Quality (optional):

• quality:clean — ×1.2 multiplier
• quality:exceptional — ×1.5 multiplier

Validation (required to score):

• gssoc:approved — counts for points
• gssoc:invalid / gssoc:spam / gssoc:ai-slop — does not score

Type labels (type:*) are auto-detected from files and title. Review and adjust if needed.
Points formula: (difficulty × quality_multiplier) + type_bonus

[github-actions]

🎉 Merged! Thanks for contributing to DevTrack.

If the project has been useful to you, a ⭐ star on the repo is the easiest way to support it — it helps DevTrack get discovered by more developers.

Keep an eye on open issues for your next contribution!