only valid full & partial SHAs accepted

srest2021 · srest2021 · commit 6cc111f6d21a · 2025-09-12T10:32:13.000-07:00
diff --git a/src/commands/releases/set_commits.rs b/src/commands/releases/set_commits.rs
@@ -5,7 +5,7 @@ use clap::{Arg, ArgAction, ArgMatches, Command};
 use lazy_static::lazy_static;
 use regex::Regex;
 
-use crate::api::{Api, NewRelease, NoneReleaseInfo, OptionalReleaseInfo, UpdatedRelease};
+use crate::api::{Api, NewRelease, NoneReleaseInfo, OptionalReleaseInfo, Ref, UpdatedRelease};
 use crate::config::Config;
 use crate::utils::args::ArgExt as _;
 use crate::utils::formatting::Table;
@@ -55,17 +55,13 @@ pub fn make_command(command: Command) -> Command {
             .action(ArgAction::Append)
             .help("Defines a single commit for a repo as \
                     identified by the repo name in the remote Sentry config. \
-                    If no commit has been specified sentry-cli will attempt \
-                    to auto discover that repository in the local git repo \
-                    and then use the HEAD commit.  This will either use the \
-                    current git repository or attempt to auto discover a \
-                    submodule with a compatible URL.\n\n\
-                    The value can be provided as `REPO` in which case sentry-cli \
-                    will auto-discover the commit based on reachable repositories. \
-                    Alternatively it can be provided as `REPO#PATH` in which case \
-                    the current commit of the repository at the given PATH is \
-                    assumed.  To override the revision `@REV` can be appended \
-                    which will force the revision to a certain value."))
+                    The value must be provided as `REPO@SHA` where SHA is a \
+                    Git commit SHA (full 40-character or partial 4+ characters). \
+                    To specify a range, use `REPO@PREV_SHA..SHA` format.\n\n\
+                    Examples:\n\
+                    - `my-repo@abc123` (partial SHA)\n\
+                    - `my-repo@abc123def456789...` (full SHA)\n\
+                    - `my-repo@abc123..def456` (commit range)"))
         // Legacy flag that has no effect, left hidden for backward compatibility
         .arg(Arg::new("ignore-empty")
             .long("ignore-empty")
@@ -83,14 +79,22 @@ fn strip_sha(sha: &str) -> &str {
         sha
     }
 }
+
+/// Validates that a string is a valid Git SHA (full or partial)
+fn is_valid_sha(sha: &str) -> bool {
+    lazy_static! {
+        static ref SHA_RE: Regex = Regex::new(r"^[a-fA-F0-9]{4,40}$").unwrap();
+    }
+    SHA_RE.is_match(sha)
+}
+
 pub fn execute(matches: &ArgMatches) -> Result<()> {
     let config = Config::current();
     let api = Api::current();
     let authenticated_api = api.authenticated()?;
     let version = matches.get_one::<String>("version").unwrap();
     let org = config.get_org(matches)?;
     let repos = authenticated_api.list_organization_repos(&org)?;
-    let mut commit_specs = vec![];
 
     let heads = if repos.is_empty() {
         None
@@ -105,30 +109,44 @@ pub fn execute(matches: &ArgMatches) -> Result<()> {
         Some(vec![])
     } else if matches.get_flag("local") {
         None
-    } else {
-        if let Some(commits) = matches.get_many::<String>("commits") {
-            for spec in commits {
-                let commit_spec = CommitSpec::parse(spec)?;
-                if repos
-                    .iter()
-                    .any(|r| r.name.to_lowercase() == commit_spec.repo.to_lowercase())
-                {
-                    commit_specs.push(commit_spec);
-                } else {
-                    bail!("Unknown repo '{}'", commit_spec.repo);
+    } else if let Some(commits) = matches.get_many::<String>("commits") {
+        let mut refs = vec![];
+        for spec in commits {
+            let commit_spec = CommitSpec::parse(spec)?;
+
+            if !repos
+                .iter()
+                .any(|r| r.name.to_lowercase() == commit_spec.repo.to_lowercase())
+            {
+                bail!("Unknown repo '{}'", commit_spec.repo);
+            }
+
+            if !is_valid_sha(&commit_spec.rev) {
+                bail!(
+                    "Invalid commit SHA '{}'. Only Git SHAs (full or partial) are supported.",
+                    commit_spec.rev
+                );
+            }
+
+            if let Some(ref prev_rev) = commit_spec.prev_rev {
+                if !is_valid_sha(prev_rev) {
+                    bail!("Invalid previous commit SHA '{}'. Only Git SHAs (full or partial) are supported.", prev_rev);
                 }
             }
+
+            refs.push(Ref {
+                repo: commit_spec.repo,
+                rev: commit_spec.rev,
+                prev_rev: commit_spec.prev_rev,
+            });
         }
-        let commits = find_heads(
-            Some(commit_specs),
-            &repos,
-            Some(config.get_cached_vcs_remote()),
-        )?;
-        if commits.is_empty() {
+        if refs.is_empty() {
             None
         } else {
-            Some(commits)
+            Some(refs)
         }
+    } else {
+        None
     };
 
     // make sure the release exists if projects are given
