Skip to content

fix(core): validate username / gist id against the safe-character pattern#356

Merged
martin-mfg merged 1 commit into
stats-organization:masterfrom
marcalexiei:username-validation
Jul 12, 2026
Merged

fix(core): validate username / gist id against the safe-character pattern#356
martin-mfg merged 1 commit into
stats-organization:masterfrom
marcalexiei:username-validation

Conversation

@marcalexiei

@marcalexiei marcalexiei commented Jul 11, 2026

Copy link
Copy Markdown

stats and pin already reject username/repo/owner that don't match safePattern (/^[-\w/.,]+$/), but top-langs, wakatime, and gist didn't.

This applies the same guard:

  • top-langs + wakatime: reject a username containing unsafe characters.
    Matters most for wakatime, where username is interpolated into the outbound request URL path.
  • gist: same guard on its id param.

All three return the existing error - permanent card before any fetch.

Additional change

Simplified the layout / stats_format checks in top-langs:
dropped the redundant typeof x !== "string" || (a non-string already fails .includes(...)),
keeping the x !== undefined guard so the params stay optional.

@vercel

vercel Bot commented Jul 11, 2026

Copy link
Copy Markdown

@marcalexiei is attempting to deploy a commit to the martin-mfg's projects Team on Vercel.

A member of the Team first needs to authorize it.

@martin-mfg martin-mfg merged commit b0100ca into stats-organization:master Jul 12, 2026
5 of 7 checks passed
@marcalexiei marcalexiei deleted the username-validation branch July 12, 2026 13:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants