fix: request_apply_commit resolves sha locally + rejects non-sha refs

2026-05-20 09:48:05 +02:00 · 2026-05-20 09:48:05 +02:00 · f8795dc029
commit f8795dc029
parent 5d27ae3048
6 changed files with 130 additions and 17 deletions
--- a/hive-c0re/src/manager_server.rs
+++ b/hive-c0re/src/manager_server.rs
@ -392,6 +392,25 @@ async fn dispatch(req: &ManagerRequest, coord: &Arc<Coordinator>) -> ManagerResp
    }
 }

+/// `request_apply_commit` takes a commit SHA only — not a branch or
+/// tag name. A branch is mutable; pinning the proposal to a concrete
+/// sha keeps "what the manager asked to deploy" unambiguous and means
+/// the `proposal/<id>` tag is a faithful record of the request.
+/// Accepts a 7..=40 char hex string (short or full sha); the exact
+/// commit is resolved + existence-checked against the proposed repo
+/// later in `lifecycle::git_fetch_to_tag`.
+fn validate_commit_ref(commit_ref: &str) -> Result<()> {
+    let n = commit_ref.len();
+    let hex = commit_ref.chars().all(|c| c.is_ascii_hexdigit());
+    if !(7..=40).contains(&n) || !hex {
+        anyhow::bail!(
+            "commit_ref '{commit_ref}' is not a commit sha — request_apply_commit \
+             takes a 7-40 char hex sha, not a branch or tag name"
+        );
+    }
+    Ok(())
+}
+
 /// Submit-time half of the apply flow: queue the approval row, then
 /// fetch the manager's commit from the proposed repo into applied and
 /// pin it as `refs/tags/proposal/<id>`. From this point on the manager
@ -409,6 +428,7 @@ async fn submit_apply_commit(
    commit_ref: &str,
    description: Option<&str>,
 ) -> anyhow::Result<(i64, String)> {
+    validate_commit_ref(commit_ref)?;
    let proposed_dir = crate::coordinator::Coordinator::agent_proposed_dir(agent);
    let applied_dir = crate::coordinator::Coordinator::agent_applied_dir(agent);
    if !proposed_dir.exists() {
@ -518,3 +538,33 @@ pub fn spawn_question_watchdog(coord: &Arc<Coordinator>, id: i64, ttl_secs: u64)
        }
    });
 }
+
+#[cfg(test)]
+mod tests {
+    use super::validate_commit_ref;
+
+    #[test]
+    fn accepts_short_and_full_sha() {
+        assert!(validate_commit_ref("e194f78").is_ok());
+        assert!(validate_commit_ref("e194f7812ab").is_ok());
+        assert!(validate_commit_ref(&"a".repeat(40)).is_ok());
+        // Uppercase hex resolves fine through `git rev-parse`.
+        assert!(validate_commit_ref("E194F78").is_ok());
+    }
+
+    #[test]
+    fn rejects_branch_and_tag_names() {
+        // The exact bug class this guard exists for.
+        assert!(validate_commit_ref("main").is_err());
+        assert!(validate_commit_ref("HEAD").is_err());
+        assert!(validate_commit_ref("deployed/0").is_err());
+        assert!(validate_commit_ref("feature-branch").is_err());
+    }
+
+    #[test]
+    fn rejects_too_short_too_long_and_empty() {
+        assert!(validate_commit_ref("").is_err());
+        assert!(validate_commit_ref("abc123").is_err()); // 6 chars
+        assert!(validate_commit_ref(&"a".repeat(41)).is_err());
+    }
+}