| Version | Supported |
|---|---|
| main | ✅ |
| < 1.0 | ❌ |
If you discover a security vulnerability, please open a security advisory on GitHub.
All GitHub URLs are validated before processing to prevent:
- Path traversal attacks (e.g.,
../../../etc/passwd) - Injection attacks via malformed repository/owner names
- Malformed URLs with invalid characters
The validation ensures:
- No leading or trailing dots in owner/repo names
- No consecutive dots (prevents
..path traversal) - Only valid characters (alphanumeric, hyphens, dots)
All external commands (gh CLI) are executed via vim.system with:
- Proper argument array separation (no shell injection)
- Timeout protection (30 second limit for git operations)
- Async execution (non-blocking)
- Stderr/stdout separation for proper error handling
All buffer operations are wrapped in:
- Validity checks before access
pcallprotection for async operations- Proper cleanup on buffer deletion
- Error logging instead of crashing
The plugin respects GitHub API rate limits via:
- Local caching with TTL (default 5 minutes)
- Debounced scanning (default 500ms)
- Batch fetching to minimize API calls
None reported yet (plugin in initial development).