From a41ae27882cfd9c33c165c73ffa52c4be2469516 Mon Sep 17 00:00:00 2001
From: dvankeke <dvankeke@akamai.com>
Date: Mon, 11 May 2026 11:02:24 +0200
Subject: [PATCH 1/2] fix: secure repo url

---
 src/api-v2.authz.test.ts        |  6 +--
 src/api.authz.test.ts           |  2 +-
 src/openapi/definitions.yaml    |  4 +-
 src/utils/codeRepoUtils.test.ts | 15 +++++++-
 src/utils/codeRepoUtils.ts      | 67 +++++++++++++++++++++------------
 5 files changed, 62 insertions(+), 32 deletions(-)

diff --git a/src/api-v2.authz.test.ts b/src/api-v2.authz.test.ts
index 88eb3bc4b..8e4cfd12b 100644
--- a/src/api-v2.authz.test.ts
+++ b/src/api-v2.authz.test.ts
@@ -4,12 +4,12 @@ import { initApp, loadSpec } from 'src/app'
 import getToken from 'src/fixtures/jwt'
 import OtomiStack from 'src/otomi-stack'
 import request from 'supertest'
-import { Git } from './git'
-import { getSessionStack } from './middleware'
-import * as getValuesSchemaModule from './utils'
 import TestAgent from 'supertest/lib/agent'
 import { FileStore } from './fileStore/file-store'
+import { Git } from './git'
+import { getSessionStack } from './middleware'
 import { AplKind } from './otomi-models'
+import * as getValuesSchemaModule from './utils'
 
 const platformAdminToken = getToken(['platform-admin'])
 const teamAdminToken = getToken(['team-admin', 'team-team1'])
diff --git a/src/api.authz.test.ts b/src/api.authz.test.ts
index 9a02ba702..ddc5a4fc9 100644
--- a/src/api.authz.test.ts
+++ b/src/api.authz.test.ts
@@ -698,7 +698,7 @@ describe('API authz tests', () => {
     const data = {
       name: 'demo',
       gitService: 'github' as 'gitea' | 'github' | 'gitlab',
-      repositoryUrl: 'https://github.com/buildpacks/samples',
+      repositoryUrl: 'github.com/buildpacks/samples',
       private: true,
       secret: 'demo',
     }
diff --git a/src/openapi/definitions.yaml b/src/openapi/definitions.yaml
index 84b4e2f00..9268d1359 100644
--- a/src/openapi/definitions.yaml
+++ b/src/openapi/definitions.yaml
@@ -940,7 +940,7 @@ replicas:
   default: 1
 repoUrl:
   description: Path to a remote git repo without protocol. Will use https to access.
-  pattern: ^(.+@)*([\w\d\.]+)(:[\d]+){0,1}/*(.*)$
+  pattern: '^(https://)?(github\.com|gitlab\.com|[^/\s]+\.gitea[^/\s]*)/[A-Za-z0-9_.-]+/[A-Za-z0-9_.-]+(?:\.git)?$'
   type: string
   x-message: a valid git repo URL
   example: github.com/example/repo
@@ -1099,7 +1099,7 @@ svcPredeployed:
 url:
   pattern: ^https?:\/\/[-a-zA-Z0-9@:%._\+~#=]{1,256}\.[a-zA-Z0-9()]{1,6}\b([-a-zA-Z0-9()@:%_\+.~#?&\/=]*)
   type: string
-  example: https://gituhb.com/example
+  example: https://github.com/example
 vaultToken:
   title: Token
   type: string
diff --git a/src/utils/codeRepoUtils.test.ts b/src/utils/codeRepoUtils.test.ts
index 27dbf2c48..a9627e704 100644
--- a/src/utils/codeRepoUtils.test.ts
+++ b/src/utils/codeRepoUtils.test.ts
@@ -118,11 +118,22 @@ describe('codeRepoUtils', () => {
       expect(result).toEqual('git@github.com:user/repo.git')
     })
 
-    it('should normalize HTTPS URL', () => {
-      const result = normalizeRepoUrl('https://github.com/user/repo', false, false)
+    it('should normalize protocol-less HTTPS URL', () => {
+      const result = normalizeRepoUrl('github.com/user/repo', false, false)
       expect(result).toEqual('https://github.com/user/repo.git')
     })
 
+    it.each([
+      'javascript:alert(1)',
+      'data:text/html,<svg/onload=alert(1)>',
+      'vbscript:msgbox(1)',
+      'ftp://github.com/example/repo',
+      'github.com/example',
+      'github.com/example/repo<script>',
+    ])('should reject unsafe repository URL: %s', (repoUrl) => {
+      expect(normalizeRepoUrl(repoUrl, false, false)).toBeNull()
+    })
+
     it('should return null for invalid URL', () => {
       const result = normalizeRepoUrl('invalid-url', false, false)
       expect(result).toBeNull()
diff --git a/src/utils/codeRepoUtils.ts b/src/utils/codeRepoUtils.ts
index 21de97882..a49d6346b 100644
--- a/src/utils/codeRepoUtils.ts
+++ b/src/utils/codeRepoUtils.ts
@@ -44,39 +44,58 @@ export async function getGiteaRepoUrls(adminUsername, adminPassword, orgName, do
   }
 }
 
+const ALLOWED_REPO_HOSTS = ['github.com', 'gitlab.com']
+
+const SAFE_REPO_PATH_REGEX = /^[A-Za-z0-9_.-]+\/[A-Za-z0-9_.-]+$/
+
 export function normalizeRepoUrl(inputUrl: string, isPrivate: boolean, isSSH: boolean): string | null {
   try {
-    let parsedUrl: URL
+    const cleanUrl = inputUrl.trim().replace(/\/$/, '')
+
+    let hostname: string
     let owner: string
     let repoName: string
 
-    const cleanUrl = inputUrl
-      .trim()
-      .replace(/\.git$/, '')
-      .replace(/\/$/, '')
-    const initMatch = cleanUrl.match(
-      /^(https?:\/\/(github\.com|gitlab\.com)\/([^/]+)\/([^/]+)|git@(github\.com|gitlab\.com):([^/]+)\/([^/]+))/,
-    )
+    if (cleanUrl.startsWith('git@')) {
+      const match = cleanUrl
+        .replace(/\.git$/, '')
+        .match(/^git@(github\.com|gitlab\.com):([A-Za-z0-9_.-]+)\/([A-Za-z0-9_.-]+)$/)
 
-    if (!initMatch) throw new Error('Invalid repository URL.')
+      if (!match) return null
 
-    if (inputUrl.startsWith('git@')) {
-      const match = inputUrl.match(/^git@([^:]+):([^/]+)\/(.+?)(\.git)?$/)
-      if (!match) throw new Error('Invalid SSH repository URL.')
-      const [, hostname, extractedOwner, extractedRepo] = match
-      owner = extractedOwner
-      repoName = extractedRepo.endsWith('.git') ? extractedRepo : `${extractedRepo}.git`
-      parsedUrl = new URL(`https://${hostname}/${owner}/${repoName}`)
+      hostname = match[1]
+      owner = match[2]
+      repoName = match[3]
     } else {
-      parsedUrl = new URL(inputUrl)
-      const segments = parsedUrl.pathname.split('/').filter(Boolean)
-      if (segments.length < 2) throw new Error('Invalid repository URL: not enough segments.')
-      owner = segments[0]
-      repoName = segments[1].endsWith('.git') ? segments[1] : `${segments[1]}.git`
+      const urlToParse = /^[a-z][a-z0-9+.-]*:/i.test(cleanUrl) ? cleanUrl : `https://${cleanUrl}`
+
+      const parsed = new URL(urlToParse)
+
+      if (parsed.protocol !== 'https:') return null
+
+      hostname = parsed.hostname
+      if (!ALLOWED_REPO_HOSTS.includes(hostname)) return null
+
+      const parts = parsed.pathname
+        .replace(/\.git$/, '')
+        .split('/')
+        .filter(Boolean)
+      if (parts.length !== 2) return null
+
+      owner = parts[0]
+      repoName = parts[1]
+
+      if (!SAFE_REPO_PATH_REGEX.test(`${owner}/${repoName}`)) return null
     }
-    if (isPrivate && isSSH) return `git@${parsedUrl.hostname}:${owner}/${repoName}`
-    else return `https://${parsedUrl.hostname}/${owner}/${repoName}`
-  } catch (error) {
+
+    const repoWithGitSuffix = `${repoName}.git`
+
+    if (isPrivate && isSSH) {
+      return `git@${hostname}:${owner}/${repoWithGitSuffix}`
+    }
+
+    return `https://${hostname}/${owner}/${repoWithGitSuffix}`
+  } catch {
     return null
   }
 }

From 481b30d22fcf8fd5c6c525c555068bef970f552d Mon Sep 17 00:00:00 2001
From: dvankeke <dvankeke@akamai.com>
Date: Tue, 12 May 2026 09:08:25 +0200
Subject: [PATCH 2/2] fix: git agnostic safe url

---
 src/openapi/definitions.yaml    |  2 +-
 src/utils/codeRepoUtils.test.ts | 23 ++++++++++++++++++++++
 src/utils/codeRepoUtils.ts      | 34 ++++++++++++---------------------
 3 files changed, 36 insertions(+), 23 deletions(-)

diff --git a/src/openapi/definitions.yaml b/src/openapi/definitions.yaml
index 9268d1359..49f627887 100644
--- a/src/openapi/definitions.yaml
+++ b/src/openapi/definitions.yaml
@@ -940,7 +940,7 @@ replicas:
   default: 1
 repoUrl:
   description: Path to a remote git repo without protocol. Will use https to access.
-  pattern: '^(https://)?(github\.com|gitlab\.com|[^/\s]+\.gitea[^/\s]*)/[A-Za-z0-9_.-]+/[A-Za-z0-9_.-]+(?:\.git)?$'
+  pattern: '^(?:(?:https://)?[A-Za-z0-9.-]+\.[A-Za-z]{2,}|git@[A-Za-z0-9.-]+\.[A-Za-z]{2,}:)/[A-Za-z0-9_.-]+/[A-Za-z0-9_.-]+(?:\.git)?$'
   type: string
   x-message: a valid git repo URL
   example: github.com/example/repo
diff --git a/src/utils/codeRepoUtils.test.ts b/src/utils/codeRepoUtils.test.ts
index a9627e704..58976ea00 100644
--- a/src/utils/codeRepoUtils.test.ts
+++ b/src/utils/codeRepoUtils.test.ts
@@ -134,6 +134,29 @@ describe('codeRepoUtils', () => {
       expect(normalizeRepoUrl(repoUrl, false, false)).toBeNull()
     })
 
+    it.each([
+      ['https://github.com/example/repo', 'https://github.com/example/repo.git'],
+      ['github.com/example/repo', 'https://github.com/example/repo.git'],
+      ['git@github.com:example/repo.git', 'https://github.com/example/repo.git'],
+      [
+        'https://gitlab.example.com/platform/backend/my-repo',
+        'https://gitlab.example.com/platform/backend/my-repo.git',
+      ],
+      ['gitlab.example.com/platform/backend/my-repo', 'https://gitlab.example.com/platform/backend/my-repo.git'],
+      [
+        'git@gitlab.example.com:platform/backend/my-repo.git',
+        'https://gitlab.example.com/platform/backend/my-repo.git',
+      ],
+    ])('should normalize valid repository URL: %s', (input, expected) => {
+      expect(normalizeRepoUrl(input, false, false)).toEqual(expected)
+    })
+
+    it('should preserve SSH format for private SSH repositories', () => {
+      const result = normalizeRepoUrl('git@gitlab.example.com:platform/backend/my-repo.git', true, true)
+
+      expect(result).toEqual('git@gitlab.example.com:platform/backend/my-repo.git')
+    })
+
     it('should return null for invalid URL', () => {
       const result = normalizeRepoUrl('invalid-url', false, false)
       expect(result).toBeNull()
diff --git a/src/utils/codeRepoUtils.ts b/src/utils/codeRepoUtils.ts
index a49d6346b..c6694e424 100644
--- a/src/utils/codeRepoUtils.ts
+++ b/src/utils/codeRepoUtils.ts
@@ -44,57 +44,47 @@ export async function getGiteaRepoUrls(adminUsername, adminPassword, orgName, do
   }
 }
 
-const ALLOWED_REPO_HOSTS = ['github.com', 'gitlab.com']
-
-const SAFE_REPO_PATH_REGEX = /^[A-Za-z0-9_.-]+\/[A-Za-z0-9_.-]+$/
+const SAFE_HOST_REGEX = /^[A-Za-z0-9.-]+\.[A-Za-z]{2,}$/
+const SAFE_REPO_PATH_REGEX = /^[A-Za-z0-9_.-]+(?:\/[A-Za-z0-9_.-]+)+$/
 
 export function normalizeRepoUrl(inputUrl: string, isPrivate: boolean, isSSH: boolean): string | null {
   try {
     const cleanUrl = inputUrl.trim().replace(/\/$/, '')
 
     let hostname: string
-    let owner: string
-    let repoName: string
+    let repoPath: string
 
     if (cleanUrl.startsWith('git@')) {
       const match = cleanUrl
         .replace(/\.git$/, '')
-        .match(/^git@(github\.com|gitlab\.com):([A-Za-z0-9_.-]+)\/([A-Za-z0-9_.-]+)$/)
+        .match(/^git@([A-Za-z0-9.-]+\.[A-Za-z]{2,}):([A-Za-z0-9_.-]+(?:\/[A-Za-z0-9_.-]+)+)$/)
 
       if (!match) return null
 
       hostname = match[1]
-      owner = match[2]
-      repoName = match[3]
+      repoPath = match[2]
     } else {
       const urlToParse = /^[a-z][a-z0-9+.-]*:/i.test(cleanUrl) ? cleanUrl : `https://${cleanUrl}`
 
       const parsed = new URL(urlToParse)
 
       if (parsed.protocol !== 'https:') return null
+      if (!SAFE_HOST_REGEX.test(parsed.hostname)) return null
 
-      hostname = parsed.hostname
-      if (!ALLOWED_REPO_HOSTS.includes(hostname)) return null
+      repoPath = parsed.pathname.replace(/\.git$/, '').replace(/^\/|\/$/g, '')
 
-      const parts = parsed.pathname
-        .replace(/\.git$/, '')
-        .split('/')
-        .filter(Boolean)
-      if (parts.length !== 2) return null
+      if (!SAFE_REPO_PATH_REGEX.test(repoPath)) return null
 
-      owner = parts[0]
-      repoName = parts[1]
-
-      if (!SAFE_REPO_PATH_REGEX.test(`${owner}/${repoName}`)) return null
+      hostname = parsed.hostname
     }
 
-    const repoWithGitSuffix = `${repoName}.git`
+    const repoWithGitSuffix = `${repoPath}.git`
 
     if (isPrivate && isSSH) {
-      return `git@${hostname}:${owner}/${repoWithGitSuffix}`
+      return `git@${hostname}:${repoWithGitSuffix}`
     }
 
-    return `https://${hostname}/${owner}/${repoWithGitSuffix}`
+    return `https://${hostname}/${repoWithGitSuffix}`
   } catch {
     return null
   }