fix(web): validate git ref and file path inputs before executing git commands

Reject ref values starting with '-' to prevent flag injection into git
commands, and apply path traversal validation to file source lookups.
Returns 400 INVALID_GIT_REF or 404 FILE_NOT_FOUND instead of passing
unsanitized input to the underlying git CLI.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: brendan-kellam

packages/web/src/features/git/getFileSourceApi.ts

@@ -2,12 +2,13 @@ import { sew } from '@/actions';
 import { getBrowsePath } from '@/app/[domain]/browse/hooks/utils';
 import { SINGLE_TENANT_ORG_DOMAIN } from '@/lib/constants';
 import { detectLanguageFromFilename } from '@/lib/languageDetection';
-import { ServiceError, notFound, fileNotFound, unexpectedError } from '@/lib/serviceError';
+import { ServiceError, notFound, fileNotFound, invalidGitRef, unexpectedError } from '@/lib/serviceError';
 import { getCodeHostBrowseFileAtBranchUrl } from '@/lib/utils';
 import { withOptionalAuthV2 } from '@/withAuthV2';
 import { getRepoPath } from '@sourcebot/shared';
 import simpleGit from 'simple-git';
 import z from 'zod';
+import { isGitRefValid, isPathValid } from './utils';
 import { CodeHostType } from '@sourcebot/db';
 
 export const fileSourceRequestSchema = z.object({
@@ -38,6 +39,14 @@ export const getFileSource = async ({ path: filePath, repo: repoName, ref }: Fil
         return notFound(`Repository "${repoName}" not found.`);
     }
 
+    if (!isPathValid(filePath)) {
+        return fileNotFound(filePath, repoName);
+    }
+
+    if (ref !== undefined && !isGitRefValid(ref)) {
+        return invalidGitRef(ref);
+    }
+
     const { path: repoPath } = getRepoPath(repo);
     const git = simpleGit().cwd(repoPath);
 

packages/web/src/features/git/getTreeApi.ts

@@ -1,11 +1,11 @@
 import { sew } from '@/actions';
-import { notFound, ServiceError, unexpectedError } from '@/lib/serviceError';
+import { invalidGitRef, notFound, ServiceError, unexpectedError } from '@/lib/serviceError';
 import { withOptionalAuthV2 } from "@/withAuthV2";
 import { getRepoPath } from '@sourcebot/shared';
 import simpleGit from 'simple-git';
 import z from 'zod';
 import { fileTreeNodeSchema } from './types';
-import { buildFileTree, isPathValid, logger, normalizePath } from './utils';
+import { buildFileTree, isGitRefValid, isPathValid, logger, normalizePath } from './utils';
 
 export const getTreeRequestSchema = z.object({
     repoName: z.string(),
@@ -37,6 +37,10 @@ export const getTree = async ({ repoName, revisionName, paths }: GetTreeRequest)
             return notFound(`Repository "${repoName}" not found.`);
         }
 
+        if (!isGitRefValid(revisionName)) {
+            return invalidGitRef(revisionName);
+        }
+
         const { path: repoPath } = getRepoPath(repo);
 
         const git = simpleGit().cwd(repoPath);

packages/web/src/features/git/listCommitsApi.ts

@@ -1,9 +1,10 @@
 import { sew } from '@/actions';
-import { notFound, ServiceError, unexpectedError } from '@/lib/serviceError';
+import { invalidGitRef, notFound, ServiceError, unexpectedError } from '@/lib/serviceError';
 import { withOptionalAuthV2 } from '@/withAuthV2';
 import { getRepoPath } from '@sourcebot/shared';
 import { simpleGit } from 'simple-git';
 import { toGitDate, validateDateRange } from './dateUtils';
+import { isGitRefValid } from './utils';
 
 export interface Commit {
     hash: string;
@@ -60,6 +61,10 @@ export const listCommits = async ({
             return notFound(`Repository "${repoName}" not found.`);
         }
 
+        if (!isGitRefValid(ref)) {
+            return invalidGitRef(ref);
+        }
+
         const { path: repoPath } = getRepoPath(repo);
 
         // Validate date range if both since and until are provided

packages/web/src/features/git/utils.ts

@@ -3,6 +3,11 @@ import { FileTreeItem, FileTreeNode } from "./types";
 
 export const logger = createLogger('git');
 
+// @note: reject refs starting with '-' to prevent git flag injection.
+export const isGitRefValid = (ref: string): boolean => {
+    return !ref.startsWith('-');
+}
+
 // @note: we don't allow directory traversal
 // or null bytes in the path.
 export const isPathValid = (path: string) => {

packages/web/src/lib/errorCodes.ts

@@ -35,4 +35,5 @@ export enum ErrorCode {
     API_KEY_NOT_FOUND = 'API_KEY_NOT_FOUND',
     INVALID_API_KEY = 'INVALID_API_KEY',
     FAILED_TO_PARSE_QUERY = 'FAILED_TO_PARSE_QUERY',
+    INVALID_GIT_REF = 'INVALID_GIT_REF',
 }

packages/web/src/lib/serviceError.ts

@@ -144,6 +144,14 @@ export const secretAlreadyExists = (): ServiceError => {
     }
 }
 
+export const invalidGitRef = (ref: string): ServiceError => {
+    return {
+        statusCode: StatusCodes.BAD_REQUEST,
+        errorCode: ErrorCode.INVALID_GIT_REF,
+        message: `Invalid git reference: "${ref}". Git refs cannot start with '-'.`,
+    };
+}
+
 export const stripeClientNotInitialized = (): ServiceError => {
     return {
         statusCode: StatusCodes.INTERNAL_SERVER_ERROR,