From 6a7830b07ec44bc0a6e721d77248f988a9395c9a Mon Sep 17 00:00:00 2001
From: statxc <181730535+statxc@users.noreply.github.com>
Date: Wed, 1 Apr 2026 21:27:10 +0000
Subject: [PATCH] fix: add HTTPS protocol check to server-side GitHub URL
 parsers

---
 server/src/services/company-portability.ts | 3 +++
 server/src/services/company-skills.ts      | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/server/src/services/company-portability.ts b/server/src/services/company-portability.ts
index 256e98d3..b1bb7ed9 100644
--- a/server/src/services/company-portability.ts
+++ b/server/src/services/company-portability.ts
@@ -2567,6 +2567,9 @@ function normalizeGitHubSourcePath(value: string | null | undefined) {
 
 export function parseGitHubSourceUrl(rawUrl: string) {
   const url = new URL(rawUrl);
+  if (url.protocol !== "https:") {
+    throw unprocessable("GitHub source URL must use HTTPS");
+  }
   const hostname = url.hostname;
   const parts = url.pathname.split("/").filter(Boolean);
   if (parts.length < 2) {
diff --git a/server/src/services/company-skills.ts b/server/src/services/company-skills.ts
index 8cefd2fd..a878a779 100644
--- a/server/src/services/company-skills.ts
+++ b/server/src/services/company-skills.ts
@@ -512,6 +512,9 @@ async function resolveGitHubCommitSha(owner: string, repo: string, ref: string,
 
 function parseGitHubSourceUrl(rawUrl: string) {
   const url = new URL(rawUrl);
+  if (url.protocol !== "https:") {
+    throw unprocessable("GitHub source URL must use HTTPS");
+  }
   const parts = url.pathname.split("/").filter(Boolean);
   if (parts.length < 2) {
     throw unprocessable("Invalid GitHub URL");