From 5a2bde5882610b0ba08bf8d9cf339fe2c487e665 Mon Sep 17 00:00:00 2001
From: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>
Date: Thu, 21 Aug 2025 13:29:15 -0300
Subject: [PATCH] fix: check that commit is a SHA1 (#737)

Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>
---
 pkg/ssh/cmd/commit.go | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/pkg/ssh/cmd/commit.go b/pkg/ssh/cmd/commit.go
index ad2020d36a2076e540f71c3eba380909fd7756b9..1d99d299aaa549d186679e9236007d138881977f 100644
--- a/pkg/ssh/cmd/commit.go
+++ b/pkg/ssh/cmd/commit.go
@@ -2,6 +2,7 @@ package cmd
 
 import (
 	"fmt"
+	"regexp"
 	"strings"
 	"time"
 
@@ -13,6 +14,8 @@ import (
 	"github.com/spf13/cobra"
 )
 
+var shaRE = regexp.MustCompile(`^[a-fA-F0-9]{5,40}$`)
+
 // commitCommand returns a command that prints the contents of a commit.
 func commitCommand() *cobra.Command {
 	var color bool
@@ -29,6 +32,10 @@ func commitCommand() *cobra.Command {
 			repoName := args[0]
 			commitSHA := args[1]
 
+			if !shaRE.MatchString(commitSHA) {
+				return fmt.Errorf("invalid commit SHA: %s", commitSHA)
+			}
+
 			rr, err := be.Repository(ctx, repoName)
 			if err != nil {
 				return err