From 2c90f429fe848aa2387e1de410f3634f37fe8a5d Mon Sep 17 00:00:00 2001
From: anshul23102 <anshul23102@iiitd.ac.in>
Date: Wed, 3 Jun 2026 18:39:12 +0530
Subject: [PATCH] fix(search): strip GitHub qualifier injection from search
 filter input

The search filter value was appended to the GitHub query string verbatim.
A caller who types a GitHub qualifier such as 'repo:other/repo' into the
search field could override the repository scope and retrieve issues from
unintended repositories, bypassing the username-scoped query the hook
builds.

Strip key:value qualifier patterns from filters.search before appending
it to the query. This allows plain keyword searches to work as intended
while preventing operator injection.

Closes #690
---
 src/hooks/useGitHubData.ts | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/src/hooks/useGitHubData.ts b/src/hooks/useGitHubData.ts
index f4c78cf6..8c7525cf 100644
--- a/src/hooks/useGitHubData.ts
+++ b/src/hooks/useGitHubData.ts
@@ -46,7 +46,17 @@ export const useGitHubData = (
     let q = `author:${username} is:${type}`;
 
     if (filters.search) {
-      q += ` ${filters.search} in:title`;
+      // Strip GitHub search qualifiers (key:value pairs) from the free-text
+      // search term before appending it to the query string. Allowing raw
+      // qualifier injection lets a caller override repo:, author:, is:, and
+      // other operators already set by the hook, potentially leaking data
+      // from repositories outside the intended scope.
+      const sanitizedSearch = filters.search
+        .replace(/[a-zA-Z_-]+:[^\s]*/g, '')
+        .trim();
+      if (sanitizedSearch) {
+        q += ` ${sanitizedSearch} in:title`;
+      }
     }
 
     if (filters.repo) {