Merge pull request #616 from Squirbie/codex/attempt-source-url-control-576

ramimbo · web-flow · commit 6930385b0563 · 2026-05-29T10:43:46.000+03:00
Refs #576: Reject control chars in attempt source URLs
diff --git a/app/bounty_attempts.py b/app/bounty_attempts.py
@@ -11,7 +11,7 @@
 from sqlalchemy.orm import Session
 
 from app.db import session_scope
-from app.ledger.service import LedgerError, validate_public_url
+from app.ledger.service import CONTROL_CHAR_RE, LedgerError, validate_public_url
 from app.models import Bounty, BountyAttempt
 
 DEFAULT_ATTEMPT_TTL_SECONDS = 24 * 60 * 60
@@ -183,6 +183,10 @@ async def api_create_bounty_attempt(
             source = ""
         if not isinstance(source, str):
             raise HTTPException(status_code=400, detail="source_url must be a string")
+        if CONTROL_CHAR_RE.search(source):
+            raise HTTPException(
+                status_code=400, detail="source_url must not contain control characters"
+            )
         source = source.strip()
         try:
             source_url = validate_public_url(source) if source else None
diff --git a/tests/test_bounty_attempts.py b/tests/test_bounty_attempts.py
@@ -172,6 +172,41 @@ def test_bounty_attempts_accept_empty_body_defaults_to_login(sqlite_url: str, mo
     assert released.json()["attempt"]["status"] == "released"
 
 
+def test_bounty_attempt_source_url_rejects_raw_control_characters(
+    sqlite_url: str, monkeypatch
+) -> None:
+    monkeypatch.setenv("MERGEWORK_COOKIE_SECRET", COOKIE_SECRET)
+    create_schema(sqlite_url)
+    with session_scope(sqlite_url) as session:
+        ensure_genesis(session)
+        bounty = create_bounty(
+            session,
+            repo="ramimbo/mergework",
+            issue_number=328,
+            issue_url="https://github.com/ramimbo/mergework/issues/328",
+            title="Attempt source URL validation",
+            reward_mrwk="50",
+            max_awards=1,
+            acceptance="Attempt source URLs should be validated before normalization.",
+        )
+
+    client = TestClient(create_app(database_url=sqlite_url, webhook_secret="secret"))
+    _set_login(client, "alice")
+
+    response = client.post(
+        f"/api/v1/bounties/{bounty.id}/attempts",
+        json={
+            "source_url": "\thttps://github.com/ramimbo/mergework/pull/616",
+            "ttl_seconds": 3600,
+        },
+    )
+
+    assert response.status_code == 400
+    assert "control character" in response.json()["detail"].lower()
+    with session_scope(sqlite_url) as session:
+        assert session.scalars(select(BountyAttempt)).all() == []
+
+
 def test_single_award_bounty_warns_when_active_attempt_uses_available_slot(
     sqlite_url: str, monkeypatch
 ) -> None:
