address codeql

Author: jonathanlab

apps/cli/src/cli.ts

@@ -45,7 +45,7 @@ import {
 
 const CMD_WIDTH = 22;
 
-const TAGLINE = `Array (arr) is a CLI for stacked PRs using Jujutsu (jj).
+const TAGLINE = `arr is a CLI for stacked PRs using jj.
 It enables stacking changes on top of each other to keep you unblocked
 and your changes small, focused, and reviewable.`;
 
@@ -98,19 +98,19 @@ ${coreCommands.map(formatCoreCommand).join("\n")}
   Run ${cyan("arr --help --all")} for a full command reference.
 
 ${bold("CORE WORKFLOW")}
-  1. ${cyan('arr create "add user auth"')}  Create a new change
-  2. ${dim("(make edits - jj tracks automatically)")}
-  3. ${cyan('arr create "add tests"')}      Stack another change
-  4. ${cyan("arr submit")}                   Create PRs for the stack
-  5. ${cyan("arr sync")}                     Fetch & rebase after reviews
+  1. ${cyan('arr create "add user auth"')}\tCreate a new change
+  2. ${dim("(make edits)")}\t\t\t  jj tracks automatically
+  3. ${cyan('arr create "add tests"')}\tStack another change
+  4. ${cyan("arr submit")}\t\t\tCreate PRs for the stack
+  5. ${cyan("arr sync")}\t\t\tFetch & rebase after reviews
 
 ${bold("ESCAPE HATCH")}
-  ${cyan("arr exit")}                    Switch back to plain git if you need it.
-                            Your jj changes are preserved and you can return anytime.
+  ${cyan("arr exit")}\t\t\tSwitch back to plain git if you need it.
+  \t\t\t\tYour jj changes are preserved and you can return anytime.
 
 ${bold("LEARN MORE")}
-  Documentation:    https://github.com/posthog/array
-  jj documentation: https://www.jj-vcs.dev/latest/
+  Documentation\t\t\thttps://github.com/posthog/array
+  jj documentation\t\thttps://www.jj-vcs.dev/latest/
 `);
 }
 

packages/core/src/ci.ts

@@ -14,10 +14,16 @@ on:
   pull_request_target:
     types: [closed]
 
+permissions:
+  contents: read
+
 jobs:
   check:
     runs-on: ubuntu-latest
     if: github.event_name == 'pull_request'
+    permissions:
+      pull-requests: read
+      issues: read
     steps:
       - name: Check stack dependencies
         uses: actions/github-script@v7
@@ -86,6 +92,9 @@ jobs:
       github.event_name == 'pull_request_target' &&
       github.event.action == 'closed' &&
       github.event.pull_request.merged == true
+    permissions:
+      pull-requests: write
+      issues: read
     steps:
       - name: Trigger recheck of dependent PRs
         uses: actions/github-script@v7
@@ -168,14 +177,17 @@ export function getRepoInfoFromRemote(
   remoteUrl: string,
 ): Result<{ owner: string; repo: string }> {
   // Handle SSH format: git@github.com:owner/repo.git
-  const sshMatch = remoteUrl.match(/git@github\.com:([^/]+)\/([^/.\s]+)/);
+  // Use [\w-]+ to match valid GitHub usernames/org names (alphanumeric, underscore, hyphen)
+  const sshMatch = remoteUrl.match(
+    /^git@github\.com:([\w-]+)\/([\w.-]+?)(?:\.git)?$/,
+  );
   if (sshMatch) {
     return ok({ owner: sshMatch[1], repo: sshMatch[2] });
   }
 
   // Handle HTTPS format: https://github.com/owner/repo.git
   const httpsMatch = remoteUrl.match(
-    /https:\/\/github\.com\/([^/]+)\/([^/.\s]+)/,
+    /^https:\/\/github\.com\/([\w-]+)\/([\w.-]+?)(?:\.git)?$/,
   );
   if (httpsMatch) {
     return ok({ owner: httpsMatch[1], repo: httpsMatch[2] });

packages/core/src/jj.ts

@@ -217,7 +217,8 @@ export class JJ {
     }
 
     // Search by description and bookmarks
-    const escaped = query.replace(/"/g, '\\"');
+    // Escape backslashes first, then quotes
+    const escaped = query.replace(/\\/g, "\\\\").replace(/"/g, '\\"');
     const revset = options.includeBookmarks
       ? `description(substring-i:"${escaped}") | bookmarks(substring-i:"${escaped}")`
       : `description(substring-i:"${escaped}")`;
@@ -601,7 +602,9 @@ export class JJ {
       if (stack.changeCount !== 1) return true;
       const only = stack.changes[0];
       if (!only.isWorkingCopy) return true;
-      return !only.isEmpty || only.description.trim() !== "" || only.hasConflicts;
+      return (
+        !only.isEmpty || only.description.trim() !== "" || only.hasConflicts
+      );
     });
 
     // Sort by whether it contains current, then by timestamp
@@ -849,9 +852,15 @@ export class JJ {
   }
 
   async exitToGit(): Promise<Result<{ trunk: string }>> {
-    const result = await this.executor.execute("git", ["checkout", this.trunk], { cwd: this.cwd });
+    const result = await this.executor.execute(
+      "git",
+      ["checkout", this.trunk],
+      { cwd: this.cwd },
+    );
     if (result.exitCode !== 0) {
-      return err(createError("COMMAND_FAILED", result.stderr || "git checkout failed"));
+      return err(
+        createError("COMMAND_FAILED", result.stderr || "git checkout failed"),
+      );
     }
     return ok({ trunk: this.trunk });
   }