Validate username

Author: ernilambar

index.js

@@ -81,6 +81,10 @@ const wpDeployer = async () => {
     console.error(chalk.red('Username is required.'))
     return EXIT_CONFIG
   }
+  if (error === 'invalid_username') {
+    console.error(chalk.red(errorMessage || 'Invalid username.'))
+    return EXIT_CONFIG
+  }
   if (error === 'theme_earlier_version_required') {
     console.error(chalk.red('For repoType theme, earlierVersion is required.'))
     return EXIT_CONFIG

lib/config.js

@@ -38,7 +38,7 @@ export function getDefaults (pkg) {
 /**
  * Resolve settings from package.json. Does not exit; returns an error key if validation fails.
  * @param {object} pkg - Parsed package.json (must have name, version)
- * @returns {{ settings: object, error: null | 'invalid_slug' | 'username_required' | 'theme_earlier_version_required' | 'invalid_config' | 'invalid_svn_url' | 'invalid_new_version' | 'invalid_earlier_version', errorMessage?: string }}
+ * @returns {{ settings: object, error: null | 'invalid_slug' | 'username_required' | 'invalid_username' | 'theme_earlier_version_required' | 'invalid_config' | 'invalid_svn_url' | 'invalid_new_version' | 'invalid_earlier_version', errorMessage?: string }}
  */
 export function resolveSettings (pkg) {
   const defaults = getDefaults(pkg)
@@ -92,6 +92,15 @@ export function resolveSettings (pkg) {
     }
   }
 
+  // Username is interpolated into shell commands; allow only safe chars (WordPress.org style)
+  if (!/^[a-zA-Z0-9_-]+$/.test(settings.username)) {
+    return {
+      settings,
+      error: 'invalid_username',
+      errorMessage: 'username must contain only letters, numbers, hyphens, and underscores (typical WordPress.org username).'
+    }
+  }
+
   if (
     settings.repoType === 'plugin' &&
     settings.deployTag === true &&

lib/preflight.js

@@ -2,7 +2,7 @@
  * Pre-deploy checks: required tools on PATH, build/assets directories.
  */
 
-import path from 'path'
+import path from 'node:path'
 import { execSync } from 'child_process'
 import { DeployError } from './deploy-error.js'
 import { EXIT_CONFIG } from './exit-codes.js'

package.json

@@ -29,6 +29,11 @@
     "url": "https://github.com/ernilambar/wp-deployer/issues"
   },
   "homepage": "https://github.com/ernilambar/wp-deployer#readme",
+  "files": [
+    "index.js",
+    "lib",
+    "README.md"
+  ],
   "dependencies": {
     "ajv": "^8.18.0",
     "chalk": "^5.6.2",

test/config.test.js

@@ -57,6 +57,25 @@ describe('resolveSettings', () => {
     assert.strictEqual(settings.username, 'jane')
   })
 
+  it('returns invalid_username when username contains disallowed characters', () => {
+    const withSpace = resolveSettings({ ...basePkg, wpDeployer: { username: 'jane doe' } })
+    assert.strictEqual(withSpace.error, 'invalid_username')
+    assert.ok(withSpace.errorMessage && /letters, numbers, hyphens, and underscores/.test(withSpace.errorMessage))
+
+    const withQuote = resolveSettings({ ...basePkg, wpDeployer: { username: 'jane"doe' } })
+    assert.strictEqual(withQuote.error, 'invalid_username')
+
+    const withSemicolon = resolveSettings({ ...basePkg, wpDeployer: { username: 'jane;rm' } })
+    assert.strictEqual(withSemicolon.error, 'invalid_username')
+  })
+
+  it('accepts username with only alphanumeric, hyphen, and underscore', () => {
+    assert.strictEqual(resolveSettings({ ...basePkg, wpDeployer: { username: 'jane' } }).error, null)
+    assert.strictEqual(resolveSettings({ ...basePkg, wpDeployer: { username: 'jane_doe' } }).error, null)
+    assert.strictEqual(resolveSettings({ ...basePkg, wpDeployer: { username: 'jane-doe-99' } }).error, null)
+    assert.strictEqual(resolveSettings({ ...basePkg, wpDeployer: { username: 'User123' } }).error, null)
+  })
+
   it('defaults url to plugins.svn.wordpress.org for plugin', () => {
     const pkg = { ...basePkg, wpDeployer: { username: 'jane' } }
     const { settings } = resolveSettings(pkg)