pkg/ssh/cmd/commit.go 🔗

@@ -2,6 +2,7 @@ package cmd
 
 import (
 	"fmt"
+	"regexp"
 	"strings"
 	"time"
 
@@ -13,6 +14,8 @@ import (
 	"github.com/spf13/cobra"
 )
 
+var shaRE = regexp.MustCompile(`^[a-fA-F0-9]{5,40}$`)
+
 // commitCommand returns a command that prints the contents of a commit.
 func commitCommand() *cobra.Command {
 	var color bool
@@ -29,6 +32,10 @@ func commitCommand() *cobra.Command {
 			repoName := args[0]
 			commitSHA := args[1]
 
+			if !shaRE.MatchString(commitSHA) {
+				return fmt.Errorf("invalid commit SHA: %s", commitSHA)
+			}
+
 			rr, err := be.Repository(ctx, repoName)
 			if err != nil {
 				return err