mikkel/nexus
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix: harden GHE URL detection and extract shared GitHub helpers

Browse source
This commit is contained in:
statxc 2026-04-01 21:05:48 +00:00
parent 9e1ee925cd
commit f9cebe9b73
6 changed files with 35 additions and 50 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
cli/src/commands/client/company.ts
View file

@ -768,7 +768,7 @@ export function isHttpUrl(input: string): boolean {
export function isGithubUrl(input: string): boolean { export function isGithubUrl(input: string): boolean {
try { try {
const url = new URL(input.trim()); const url = new URL(input.trim());
if (url.protocol !== "https:" && url.protocol !== "http:") return false; if (url.protocol !== "https:") return false;
const segments = url.pathname.split("/").filter(Boolean); const segments = url.pathname.split("/").filter(Boolean);
return segments.length >= 2; return segments.length >= 2;
} catch { } catch {

24
server/src/services/company-portability.ts
View file

@ -45,6 +45,7 @@ import {
writePaperclipSkillSyncPreference, writePaperclipSkillSyncPreference,
} from "@paperclipai/adapter-utils/server-utils"; } from "@paperclipai/adapter-utils/server-utils";
import { notFound, unprocessable } from "../errors.js"; import { notFound, unprocessable } from "../errors.js";
import { ghFetch, gitHubApiBase, resolveRawGitHubUrl } from "./github-fetch.js";
import type { StorageService } from "../storage/types.js"; import type { StorageService } from "../storage/types.js";
import { accessService } from "./access.js"; import { accessService } from "./access.js";
import { agentService } from "./agents.js"; import { agentService } from "./agents.js";
@ -2100,14 +2101,6 @@ function parseFrontmatterMarkdown(raw: string): MarkdownDoc {
}; };
} }
async function ghFetch(url: string, init?: RequestInit): Promise<Response> {
try {
return await fetch(url, init);
} catch {
throw unprocessable(`Could not connect to ${new URL(url).hostname} — ensure the URL points to a GitHub or GitHub Enterprise instance`);
}
}
async function fetchText(url: string) { async function fetchText(url: string) {
const response = await ghFetch(url); const response = await ghFetch(url);
if (!response.ok) { if (!response.ok) {
@ -2619,21 +2612,6 @@ export function parseGitHubSourceUrl(rawUrl: string) {
return { hostname, owner, repo, ref, basePath, companyPath }; return { hostname, owner, repo, ref, basePath, companyPath };
} }
function isGitHubDotCom(hostname: string) {
const h = hostname.toLowerCase();
return h === "github.com" || h === "www.github.com";
}
function resolveRawGitHubUrl(hostname: string, owner: string, repo: string, ref: string, filePath: string) {
const p = filePath.replace(/^\/+/, "");
return isGitHubDotCom(hostname)
? `https://raw.githubusercontent.com/${owner}/${repo}/${ref}/${p}`
: `https://${hostname}/raw/${owner}/${repo}/${ref}/${p}`;
}
function gitHubApiBase(hostname: string) {
return isGitHubDotCom(hostname) ? "https://api.github.com" : `https://${hostname}/api/v3`;
}
export function companyPortabilityService(db: Db, storage?: StorageService) { export function companyPortabilityService(db: Db, storage?: StorageService) {
const companies = companyService(db); const companies = companyService(db);

30
server/src/services/company-skills.ts
View file

@ -30,6 +30,7 @@ import { normalizeAgentUrlKey } from "@paperclipai/shared";
import { findServerAdapter } from "../adapters/index.js"; import { findServerAdapter } from "../adapters/index.js";
import { resolvePaperclipInstanceRoot } from "../home-paths.js"; import { resolvePaperclipInstanceRoot } from "../home-paths.js";
import { notFound, unprocessable } from "../errors.js"; import { notFound, unprocessable } from "../errors.js";
import { ghFetch, gitHubApiBase, resolveRawGitHubUrl } from "./github-fetch.js";
import { agentService } from "./agents.js"; import { agentService } from "./agents.js";
import { projectService } from "./projects.js"; import { projectService } from "./projects.js";
import { secretService } from "./secrets.js"; import { secretService } from "./secrets.js";
@ -470,14 +471,6 @@ function parseFrontmatterMarkdown(raw: string): { frontmatter: Record<string, un
}; };
} }
async function ghFetch(url: string, init?: RequestInit): Promise<Response> {
try {
return await fetch(url, init);
} catch {
throw unprocessable(`Could not connect to ${new URL(url).hostname} — ensure the URL points to a GitHub or GitHub Enterprise instance`);
}
}
async function fetchText(url: string) { async function fetchText(url: string) {
const response = await ghFetch(url); const response = await ghFetch(url);
if (!response.ok) { if (!response.ok) {
@ -498,14 +491,6 @@ async function fetchJson<T>(url: string): Promise<T> {
return response.json() as Promise<T>; return response.json() as Promise<T>;
} }
function isGitHubDotCom(hostname: string) {
const h = hostname.toLowerCase();
return h === "github.com" || h === "www.github.com";
}
function gitHubApiBase(hostname: string) {
return isGitHubDotCom(hostname) ? "https://api.github.com" : `https://${hostname}/api/v3`;
}
async function resolveGitHubDefaultBranch(owner: string, repo: string, apiBase: string) { async function resolveGitHubDefaultBranch(owner: string, repo: string, apiBase: string) {
const response = await fetchJson<{ default_branch?: string }>( const response = await fetchJson<{ default_branch?: string }>(
@ -566,12 +551,6 @@ async function resolveGitHubPinnedRef(parsed: ReturnType<typeof parseGitHubSourc
return { pinnedRef, trackingRef }; return { pinnedRef, trackingRef };
} }
function resolveRawGitHubUrl(hostname: string, owner: string, repo: string, ref: string, filePath: string) {
const p = filePath.replace(/^\/+/, "");
return isGitHubDotCom(hostname)
? `https://raw.githubusercontent.com/${owner}/${repo}/${ref}/${p}`
: `https://${hostname}/raw/${owner}/${repo}/${ref}/${p}`;
}
function extractCommandTokens(raw: string) { function extractCommandTokens(raw: string) {
const matches = raw.match(/"[^"]*"|'[^']*'|\S+/g) ?? []; const matches = raw.match(/"[^"]*"|'[^']*'|\S+/g) ?? [];
@ -1004,8 +983,11 @@ async function readUrlSkillImports(
const warnings: string[] = []; const warnings: string[] = [];
const isGitHubRepoUrl = (() => { try { const isGitHubRepoUrl = (() => { try {
const parsed = new URL(url); const parsed = new URL(url);
if (parsed.protocol !== "https:" && parsed.protocol !== "http:") return false; if (parsed.protocol !== "https:") return false;
return parsed.pathname.split("/").filter(Boolean).length >= 2 && !parsed.pathname.endsWith(".md"); const h = parsed.hostname.toLowerCase();
if (h.endsWith(".githubusercontent.com") || h === "gist.github.com") return false;
const segments = parsed.pathname.split("/").filter(Boolean);
return segments.length >= 2 && !parsed.pathname.endsWith(".md");
} catch { return false; } })(); } catch { return false; } })();
if (isGitHubRepoUrl) { if (isGitHubRepoUrl) {
const parsed = parseGitHubSourceUrl(url); const parsed = parseGitHubSourceUrl(url);

25
server/src/services/github-fetch.ts Normal file
View file

@ -0,0 +1,25 @@
import { unprocessable } from "../errors.js";
function isGitHubDotCom(hostname: string) {
const h = hostname.toLowerCase();
return h === "github.com" || h === "www.github.com";
}
export function gitHubApiBase(hostname: string) {
return isGitHubDotCom(hostname) ? "https://api.github.com" : `https://${hostname}/api/v3`;
}
export function resolveRawGitHubUrl(hostname: string, owner: string, repo: string, ref: string, filePath: string) {
const p = filePath.replace(/^\/+/, "");
return isGitHubDotCom(hostname)
? `https://raw.githubusercontent.com/${owner}/${repo}/${ref}/${p}`
: `https://${hostname}/raw/${owner}/${repo}/${ref}/${p}`;
}
export async function ghFetch(url: string, init?: RequestInit): Promise<Response> {
try {
return await fetch(url, init);
} catch {
throw unprocessable(`Could not connect to ${new URL(url).hostname} — ensure the URL points to a GitHub or GitHub Enterprise instance`);
}
}

2
ui/src/components/NewProjectDialog.tsx
View file

@ -121,7 +121,7 @@ export function NewProjectDialog() {
const isGitHubRepoUrl = (value: string) => { const isGitHubRepoUrl = (value: string) => {
try { try {
const parsed = new URL(value); const parsed = new URL(value);
if (parsed.protocol !== "https:" && parsed.protocol !== "http:") return false; if (parsed.protocol !== "https:") return false;
const segments = parsed.pathname.split("/").filter(Boolean); const segments = parsed.pathname.split("/").filter(Boolean);
return segments.length >= 2; return segments.length >= 2;
} catch { } catch {

2
ui/src/components/ProjectProperties.tsx
View file

@ -346,7 +346,7 @@ export function ProjectProperties({ project, onUpdate, onFieldUpdate, getFieldSa
const isGitHubRepoUrl = (value: string) => { const isGitHubRepoUrl = (value: string) => {
try { try {
const parsed = new URL(value); const parsed = new URL(value);
if (parsed.protocol !== "https:" && parsed.protocol !== "http:") return false; if (parsed.protocol !== "https:") return false;
const segments = parsed.pathname.split("/").filter(Boolean); const segments = parsed.pathname.split("/").filter(Boolean);
return segments.length >= 2; return segments.length >= 2;
} catch { } catch {