fix: git agnostic safe url

Author: dennisvankekem

src/openapi/definitions.yaml

@@ -940,7 +940,7 @@ replicas:
   default: 1
 repoUrl:
   description: Path to a remote git repo without protocol. Will use https to access.
-  pattern: '^(https://)?(github\.com|gitlab\.com|[^/\s]+\.gitea[^/\s]*)/[A-Za-z0-9_.-]+/[A-Za-z0-9_.-]+(?:\.git)?$'
+  pattern: '^(?:(?:https://)?[A-Za-z0-9.-]+\.[A-Za-z]{2,}|git@[A-Za-z0-9.-]+\.[A-Za-z]{2,}:)/[A-Za-z0-9_.-]+/[A-Za-z0-9_.-]+(?:\.git)?$'
   type: string
   x-message: a valid git repo URL
   example: github.com/example/repo

src/utils/codeRepoUtils.test.ts

@@ -134,6 +134,29 @@ describe('codeRepoUtils', () => {
       expect(normalizeRepoUrl(repoUrl, false, false)).toBeNull()
     })
 
+    it.each([
+      ['https://github.com/example/repo', 'https://github.com/example/repo.git'],
+      ['github.com/example/repo', 'https://github.com/example/repo.git'],
+      ['git@github.com:example/repo.git', 'https://github.com/example/repo.git'],
+      [
+        'https://gitlab.example.com/platform/backend/my-repo',
+        'https://gitlab.example.com/platform/backend/my-repo.git',
+      ],
+      ['gitlab.example.com/platform/backend/my-repo', 'https://gitlab.example.com/platform/backend/my-repo.git'],
+      [
+        'git@gitlab.example.com:platform/backend/my-repo.git',
+        'https://gitlab.example.com/platform/backend/my-repo.git',
+      ],
+    ])('should normalize valid repository URL: %s', (input, expected) => {
+      expect(normalizeRepoUrl(input, false, false)).toEqual(expected)
+    })
+
+    it('should preserve SSH format for private SSH repositories', () => {
+      const result = normalizeRepoUrl('git@gitlab.example.com:platform/backend/my-repo.git', true, true)
+
+      expect(result).toEqual('git@gitlab.example.com:platform/backend/my-repo.git')
+    })
+
     it('should return null for invalid URL', () => {
       const result = normalizeRepoUrl('invalid-url', false, false)
       expect(result).toBeNull()

src/utils/codeRepoUtils.ts

@@ -44,57 +44,47 @@ export async function getGiteaRepoUrls(adminUsername, adminPassword, orgName, do
   }
 }
 
-const ALLOWED_REPO_HOSTS = ['github.com', 'gitlab.com']
-
-const SAFE_REPO_PATH_REGEX = /^[A-Za-z0-9_.-]+\/[A-Za-z0-9_.-]+$/
+const SAFE_HOST_REGEX = /^[A-Za-z0-9.-]+\.[A-Za-z]{2,}$/
+const SAFE_REPO_PATH_REGEX = /^[A-Za-z0-9_.-]+(?:\/[A-Za-z0-9_.-]+)+$/
 
 export function normalizeRepoUrl(inputUrl: string, isPrivate: boolean, isSSH: boolean): string | null {
   try {
     const cleanUrl = inputUrl.trim().replace(/\/$/, '')
 
     let hostname: string
-    let owner: string
-    let repoName: string
+    let repoPath: string
 
     if (cleanUrl.startsWith('git@')) {
       const match = cleanUrl
         .replace(/\.git$/, '')
-        .match(/^git@(github\.com|gitlab\.com):([A-Za-z0-9_.-]+)\/([A-Za-z0-9_.-]+)$/)
+        .match(/^git@([A-Za-z0-9.-]+\.[A-Za-z]{2,}):([A-Za-z0-9_.-]+(?:\/[A-Za-z0-9_.-]+)+)$/)
 
       if (!match) return null
 
       hostname = match[1]
-      owner = match[2]
-      repoName = match[3]
+      repoPath = match[2]
     } else {
       const urlToParse = /^[a-z][a-z0-9+.-]*:/i.test(cleanUrl) ? cleanUrl : `https://${cleanUrl}`
 
       const parsed = new URL(urlToParse)
 
       if (parsed.protocol !== 'https:') return null
+      if (!SAFE_HOST_REGEX.test(parsed.hostname)) return null
 
-      hostname = parsed.hostname
-      if (!ALLOWED_REPO_HOSTS.includes(hostname)) return null
+      repoPath = parsed.pathname.replace(/\.git$/, '').replace(/^\/|\/$/g, '')
 
-      const parts = parsed.pathname
-        .replace(/\.git$/, '')
-        .split('/')
-        .filter(Boolean)
-      if (parts.length !== 2) return null
+      if (!SAFE_REPO_PATH_REGEX.test(repoPath)) return null
 
-      owner = parts[0]
-      repoName = parts[1]
-
-      if (!SAFE_REPO_PATH_REGEX.test(`${owner}/${repoName}`)) return null
+      hostname = parsed.hostname
     }
 
-    const repoWithGitSuffix = `${repoName}.git`
+    const repoWithGitSuffix = `${repoPath}.git`
 
     if (isPrivate && isSSH) {
-      return `git@${hostname}:${owner}/${repoWithGitSuffix}`
+      return `git@${hostname}:${repoWithGitSuffix}`
     }
 
-    return `https://${hostname}/${owner}/${repoWithGitSuffix}`
+    return `https://${hostname}/${repoWithGitSuffix}`
   } catch {
     return null
   }