From 0159c45c04942facddeda24fba980ab676a1a71c Mon Sep 17 00:00:00 2001
From: ReenigneArcher <42013603+ReenigneArcher@users.noreply.github.com>
Date: Wed, 28 Jan 2026 12:45:16 -0500
Subject: [PATCH] fix: properly sanitize github url

---
 scripts/build-index.cjs | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/scripts/build-index.cjs b/scripts/build-index.cjs
index 670ce12..628475c 100644
--- a/scripts/build-index.cjs
+++ b/scripts/build-index.cjs
@@ -6,6 +6,7 @@
 
 const fs = require('node:fs');
 const path = require('node:path');
+const { URL } = require('node:url');
 const { glob } = require('glob');
 
 // Version constants
@@ -20,11 +21,17 @@ const MASTER_INDEX_VERSION = '0.1.0';
  * @returns {Promise<object|null>} Repository metadata or null if not available
  */
 async function fetchGitHubMetadata(repoUrl) {
-  if (!repoUrl?.includes('github.com')) {
+  if (!repoUrl) {
     return null;
   }
 
   try {
+    // Parse and validate the URL to prevent substring injection attacks
+    const url = new URL(repoUrl);
+    if (url.hostname !== 'github.com') {
+      return null;
+    }
+
     // Extract owner/repo from URL
     const match = new RegExp(/github\.com\/([^/]+)\/([^/]+)/).exec(repoUrl);
     if (!match) {