feature-296-bugbot-autofix: Enhance regex handling in BranchRepository and ThinkUseCase by introducing a utility function for escaping special characters. Update related logic to ensure safe processing of user input and improve regex pattern matching. Add tests to verify correct behavior when handling special characters in user mentions and version extraction.

Author: efraespada

build/cli/index.js

@@ -49858,6 +49858,7 @@ class BranchRepository {
                 if (baseBranchName.indexOf('tags/') > -1) {
                     ref = baseBranchName;
                 }
+                const refForGraphQL = ref.replace(/\\/g, '\\\\').replace(/"/g, '\\"');
                 const octokit = github.getOctokit(token);
                 const { repository } = await octokit.graphql(`
               query($repo: String!, $owner: String!, $issueNumber: Int!) {
@@ -49866,7 +49867,7 @@ class BranchRepository {
                   issue(number: $issueNumber) {
                     id
                   }
-                  ref(qualifiedName: "refs/${ref}") {
+                  ref(qualifiedName: "refs/${refForGraphQL}") {
                     target {
                       ... on Commit {
                         oid
@@ -56658,7 +56659,8 @@ class ThinkUseCase {
                 }));
                 return results;
             }
-            const question = commentBody.replace(new RegExp(`@${param.tokenUser}`, 'gi'), '').trim();
+            const escapedUsername = param.tokenUser.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+            const question = commentBody.replace(new RegExp(`@${escapedUsername}`, 'gi'), '').trim();
             if (!question) {
                 results.push(new result_1.Result({
                     id: this.taskId,
@@ -59428,14 +59430,19 @@ exports.PROMPTS = {};
 
 Object.defineProperty(exports, "__esModule", ({ value: true }));
 exports.injectJsonAsMarkdownBlock = exports.extractChangelogUpToAdditionalContext = exports.extractReleaseType = exports.extractVersion = void 0;
+function escapeRegexLiteral(s) {
+    return s.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+}
 const extractVersion = (pattern, text) => {
-    const versionPattern = new RegExp(`###\\s*${pattern}\\s+(\\d+\\.\\d+\\.\\d+)`, 'i');
+    const escaped = escapeRegexLiteral(pattern);
+    const versionPattern = new RegExp(`###\\s*${escaped}\\s+(\\d+\\.\\d+\\.\\d+)`, 'i');
     const match = text.match(versionPattern);
     return match ? match[1] : undefined;
 };
 exports.extractVersion = extractVersion;
 const extractReleaseType = (pattern, text) => {
-    const releaseTypePattern = new RegExp(`###\\s*${pattern}\\s+(Patch|Minor|Major)`, 'i');
+    const escaped = escapeRegexLiteral(pattern);
+    const releaseTypePattern = new RegExp(`###\\s*${escaped}\\s+(Patch|Minor|Major)`, 'i');
     const match = text.match(releaseTypePattern);
     return match ? match[1] : undefined;
 };
@@ -59448,7 +59455,7 @@ const extractChangelogUpToAdditionalContext = (body, sectionTitle) => {
     if (body == null || body === '') {
         return 'No changelog provided';
     }
-    const escaped = sectionTitle.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+    const escaped = escapeRegexLiteral(sectionTitle);
     const pattern = new RegExp(`(?:###|##)\\s*${escaped}\\s*\\n\\n([\\s\\S]*?)` +
         `(?=\\n(?:###|##)\\s*Additional Context\\s*|$)`, 'i');
     const match = body.match(pattern);

build/cli/src/data/repository/__tests__/branch_repository.createLinkedBranch.test.d.ts

@@ -0,0 +1,4 @@
+/**
+ * Unit tests for createLinkedBranch: GraphQL ref escaping so branch names with " or \ do not break the query.
+ */
+export {};

build/github_action/index.js

@@ -44947,6 +44947,7 @@ class BranchRepository {
                 if (baseBranchName.indexOf('tags/') > -1) {
                     ref = baseBranchName;
                 }
+                const refForGraphQL = ref.replace(/\\/g, '\\\\').replace(/"/g, '\\"');
                 const octokit = github.getOctokit(token);
                 const { repository } = await octokit.graphql(`
               query($repo: String!, $owner: String!, $issueNumber: Int!) {
@@ -44955,7 +44956,7 @@ class BranchRepository {
                   issue(number: $issueNumber) {
                     id
                   }
-                  ref(qualifiedName: "refs/${ref}") {
+                  ref(qualifiedName: "refs/${refForGraphQL}") {
                     target {
                       ... on Commit {
                         oid
@@ -51966,7 +51967,8 @@ class ThinkUseCase {
                 }));
                 return results;
             }
-            const question = commentBody.replace(new RegExp(`@${param.tokenUser}`, 'gi'), '').trim();
+            const escapedUsername = param.tokenUser.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+            const question = commentBody.replace(new RegExp(`@${escapedUsername}`, 'gi'), '').trim();
             if (!question) {
                 results.push(new result_1.Result({
                     id: this.taskId,
@@ -54736,14 +54738,19 @@ exports.PROMPTS = {};
 
 Object.defineProperty(exports, "__esModule", ({ value: true }));
 exports.injectJsonAsMarkdownBlock = exports.extractChangelogUpToAdditionalContext = exports.extractReleaseType = exports.extractVersion = void 0;
+function escapeRegexLiteral(s) {
+    return s.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+}
 const extractVersion = (pattern, text) => {
-    const versionPattern = new RegExp(`###\\s*${pattern}\\s+(\\d+\\.\\d+\\.\\d+)`, 'i');
+    const escaped = escapeRegexLiteral(pattern);
+    const versionPattern = new RegExp(`###\\s*${escaped}\\s+(\\d+\\.\\d+\\.\\d+)`, 'i');
     const match = text.match(versionPattern);
     return match ? match[1] : undefined;
 };
 exports.extractVersion = extractVersion;
 const extractReleaseType = (pattern, text) => {
-    const releaseTypePattern = new RegExp(`###\\s*${pattern}\\s+(Patch|Minor|Major)`, 'i');
+    const escaped = escapeRegexLiteral(pattern);
+    const releaseTypePattern = new RegExp(`###\\s*${escaped}\\s+(Patch|Minor|Major)`, 'i');
     const match = text.match(releaseTypePattern);
     return match ? match[1] : undefined;
 };
@@ -54756,7 +54763,7 @@ const extractChangelogUpToAdditionalContext = (body, sectionTitle) => {
     if (body == null || body === '') {
         return 'No changelog provided';
     }
-    const escaped = sectionTitle.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+    const escaped = escapeRegexLiteral(sectionTitle);
     const pattern = new RegExp(`(?:###|##)\\s*${escaped}\\s*\\n\\n([\\s\\S]*?)` +
         `(?=\\n(?:###|##)\\s*Additional Context\\s*|$)`, 'i');
     const match = body.match(pattern);

build/github_action/src/data/repository/__tests__/branch_repository.createLinkedBranch.test.d.ts

@@ -0,0 +1,4 @@
+/**
+ * Unit tests for createLinkedBranch: GraphQL ref escaping so branch names with " or \ do not break the query.
+ */
+export {};

src/data/repository/__tests__/branch_repository.createLinkedBranch.test.ts

@@ -0,0 +1,78 @@
+/**
+ * Unit tests for createLinkedBranch: GraphQL ref escaping so branch names with " or \ do not break the query.
+ */
+
+import { BranchRepository } from "../branch_repository";
+
+jest.mock("../../../utils/logger", () => ({
+    logDebugInfo: jest.fn(),
+    logError: jest.fn(),
+}));
+
+const mockGraphql = jest.fn();
+jest.mock("@actions/github", () => ({
+    getOctokit: () => ({
+        graphql: (...args: unknown[]) => mockGraphql(...args),
+    }),
+}));
+
+describe("createLinkedBranch", () => {
+    const repo = new BranchRepository();
+
+    beforeEach(() => {
+        mockGraphql.mockReset();
+    });
+
+    it("escapes double quote in ref when baseBranchName contains quote", async () => {
+        mockGraphql
+            .mockResolvedValueOnce({
+                repository: {
+                    id: "R_1",
+                    issue: { id: "I_1" },
+                    ref: { target: { oid: "abc123" } },
+                },
+            })
+            .mockResolvedValueOnce({ createLinkedBranch: { linkedBranch: { id: "LB_1" } } });
+
+        await repo.createLinkedBranch(
+            "o",
+            "r",
+            'feature"injection',
+            "feature/42-foo",
+            42,
+            undefined,
+            "token"
+        );
+
+        expect(mockGraphql).toHaveBeenCalledTimes(2);
+        const queryString = mockGraphql.mock.calls[0][0] as string;
+        expect(queryString).toContain('refs/heads/feature\\"injection');
+        expect(queryString).not.toMatch(/qualifiedName:\s*"refs\/heads\/feature"[^\\]/);
+    });
+
+    it("escapes backslash in ref when baseBranchName contains backslash", async () => {
+        mockGraphql
+            .mockResolvedValueOnce({
+                repository: {
+                    id: "R_1",
+                    issue: { id: "I_1" },
+                    ref: { target: { oid: "abc123" } },
+                },
+            })
+            .mockResolvedValueOnce({ createLinkedBranch: { linkedBranch: { id: "LB_1" } } });
+
+        await repo.createLinkedBranch(
+            "o",
+            "r",
+            "feature\\branch",
+            "feature/42-foo",
+            42,
+            undefined,
+            "token"
+        );
+
+        expect(mockGraphql).toHaveBeenCalledTimes(2);
+        const queryString = mockGraphql.mock.calls[0][0] as string;
+        expect(queryString).toContain("refs/heads/feature\\\\branch");
+    });
+});

src/data/repository/branch_repository.ts

@@ -288,10 +288,11 @@ export class BranchRepository {
         try {
             logDebugInfo(`Creating linked branch ${newBranchName} from ${oid ?? baseBranchName}`)
 
-            let ref = `heads/${baseBranchName}`
+            let ref = `heads/${baseBranchName}`;
             if (baseBranchName.indexOf('tags/') > -1) {
-                ref = baseBranchName
+                ref = baseBranchName;
             }
+            const refForGraphQL = ref.replace(/\\/g, '\\\\').replace(/"/g, '\\"');
 
             const octokit = github.getOctokit(token);
             const {repository} = await octokit.graphql<RepositoryResponse>(`
@@ -301,7 +302,7 @@ export class BranchRepository {
                   issue(number: $issueNumber) {
                     id
                   }
-                  ref(qualifiedName: "refs/${ref}") {
+                  ref(qualifiedName: "refs/${refForGraphQL}") {
                     target {
                       ... on Commit {
                         oid

src/usecase/steps/common/__tests__/think_use_case.test.ts

@@ -194,6 +194,24 @@ describe('ThinkUseCase', () => {
     expect(results[0].executed).toBe(true);
   });
 
+  it('strips mention correctly when tokenUser contains regex-special chars', async () => {
+    mockGetDescription.mockResolvedValue(undefined);
+    mockAskAgent.mockResolvedValue({ answer: 'OK' });
+    mockAddComment.mockResolvedValue(undefined);
+    const param = baseParam({
+      tokenUser: 'bot.',
+      issue: { ...baseParam().issue, commentBody: '@bot. what is 2+2?' },
+    });
+
+    const results = await useCase.invoke(param);
+
+    expect(mockAskAgent).toHaveBeenCalledTimes(1);
+    const prompt = mockAskAgent.mock.calls[0][2];
+    expect(prompt).toContain('Question: what is 2+2?');
+    expect(results[0].success).toBe(true);
+    expect(results[0].executed).toBe(true);
+  });
+
   it('includes issue description in prompt when getDescription returns content', async () => {
     mockGetDescription.mockResolvedValue('Implement login feature for the app.');
     mockAskAgent.mockResolvedValue({ answer: 'Sure, here is how...' });

src/usecase/steps/common/think_use_case.ts

@@ -69,7 +69,8 @@ export class ThinkUseCase implements ParamUseCase<Execution, Result[]> {
                 return results;
             }
 
-            const question = commentBody.replace(new RegExp(`@${param.tokenUser}`, 'gi'), '').trim();
+            const escapedUsername = param.tokenUser.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+            const question = commentBody.replace(new RegExp(`@${escapedUsername}`, 'gi'), '').trim();
             if (!question) {
                 results.push(
                     new Result({

src/utils/__tests__/content_utils.test.ts

@@ -26,6 +26,13 @@ describe('content_utils', () => {
       expect(extractVersion('Release Version', '### Release Version 1.2')).toBeUndefined();
       expect(extractVersion('Release Version', '### Release Version abc')).toBeUndefined();
     });
+
+    it('escapes regex-special chars in pattern (no ReDoS or over-matching)', () => {
+      expect(extractVersion('Release (Version)', '### Release (Version) 1.2.3')).toBe('1.2.3');
+      expect(extractVersion('.*', '### .* 1.2.3')).toBe('1.2.3');
+      expect(extractVersion('.*', '### x 1.2.3')).toBeUndefined();
+      expect(extractVersion('x.y', '### x.y 9.8.7')).toBe('9.8.7');
+    });
   });
 
   describe('extractReleaseType', () => {
@@ -44,6 +51,11 @@ describe('content_utils', () => {
       expect(extractReleaseType('Release Type', 'No type here')).toBeUndefined();
       expect(extractReleaseType('Other', '### Release Type Patch')).toBeUndefined();
     });
+
+    it('escapes regex-special chars in pattern', () => {
+      expect(extractReleaseType('Release (Type)', '### Release (Type) Minor')).toBe('Minor');
+      expect(extractReleaseType('Patch|Minor', '### Patch|Minor Major')).toBe('Major');
+    });
   });
 
   describe('extractChangelogUpToAdditionalContext', () => {

src/utils/content_utils.ts

@@ -1,11 +1,17 @@
+function escapeRegexLiteral(s: string): string {
+    return s.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+}
+
 export const extractVersion = (pattern: string, text: string): string | undefined => {
-    const versionPattern = new RegExp(`###\\s*${pattern}\\s+(\\d+\\.\\d+\\.\\d+)`, 'i');
+    const escaped = escapeRegexLiteral(pattern);
+    const versionPattern = new RegExp(`###\\s*${escaped}\\s+(\\d+\\.\\d+\\.\\d+)`, 'i');
     const match = text.match(versionPattern);
     return match ? match[1] : undefined;
 };
 
 export const extractReleaseType = (pattern: string, text: string): string | undefined => {
-    const releaseTypePattern = new RegExp(`###\\s*${pattern}\\s+(Patch|Minor|Major)`, 'i');
+    const escaped = escapeRegexLiteral(pattern);
+    const releaseTypePattern = new RegExp(`###\\s*${escaped}\\s+(Patch|Minor|Major)`, 'i');
     const match = text.match(releaseTypePattern);
     return match ? match[1] : undefined;
 };
@@ -21,7 +27,7 @@ export const extractChangelogUpToAdditionalContext = (
     if (body == null || body === '') {
         return 'No changelog provided';
     }
-    const escaped = sectionTitle.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+    const escaped = escapeRegexLiteral(sectionTitle);
     const pattern = new RegExp(
         `(?:###|##)\\s*${escaped}\\s*\\n\\n([\\s\\S]*?)` +
             `(?=\\n(?:###|##)\\s*Additional Context\\s*|$)`,