Enhance handler name validation to enforce strict snake_case format

GrantBirki · GrantBirki · commit 94766bbee82e · 2025-06-17T09:42:33.000-07:00
diff --git a/lib/hooks/core/config_validator.rb b/lib/hooks/core/config_validator.rb
@@ -125,8 +125,8 @@ def self.valid_handler_name?(handler_name)
         # Must not be empty or only whitespace
         return false if handler_name.strip.empty?
 
-        # Must match a safe pattern: alphanumeric + underscore, starting with lowercase
-        return false unless handler_name.match?(/\A[a-z][a-z0-9_]*\z/)
+        # Must match strict snake_case pattern: starts with lowercase, no trailing/consecutive underscores
+        return false unless handler_name.match?(/\A[a-z][a-z0-9]*(?:_[a-z0-9]+)*\z/)
 
         # Convert to PascalCase for security check (since DANGEROUS_CLASSES uses PascalCase)
         pascal_case_name = handler_name.split("_").map(&:capitalize).join("")
diff --git a/spec/unit/lib/hooks/core/config_validator_security_spec.rb b/spec/unit/lib/hooks/core/config_validator_security_spec.rb
@@ -49,7 +49,10 @@
             { path: "/webhook", handler: "handler test" },      # spaces
             { path: "/webhook", handler: "handler\ntest" },     # newlines
             { path: "/webhook", handler: "handlerTest" },       # camelCase
-            { path: "/webhook", handler: "HandlerTest" }        # PascalCase
+            { path: "/webhook", handler: "HandlerTest" },       # PascalCase
+            { path: "/webhook", handler: "handler_" },          # trailing underscore
+            { path: "/webhook", handler: "my__handler" },       # consecutive underscores
+            { path: "/webhook", handler: "handler__test" }      # consecutive underscores in middle
           ]
 
           invalid_configs.each do |config|
