In the badge API routes (/api/badge/streak and /api/badge/commits), the input parameter user (GitHub username) is validated only for type and maximum length (<= 50 characters). It is then directly interpolated into the GitHub commit search query (q=author:${username}) without any character sanitization or character set validation. This allows attackers/users to perform search query injection by passing query modifiers like +repo:owner/repo or space-separated filters, which alters the intended search scope of the API and results in incorrect badge data.
Steps to reproduce:
Navigate to a valid badge URL: https://devtrack-delta.vercel.app/api/badge/commits?user=Priyanshu-byte-coder. (Displays the correct commits count, e.g. "Commits: 69 this month").
Modify the URL parameter by appending a non-existent repo filter: https://devtrack-delta.vercel.app/api/badge/commits?user=Priyanshu-byte-coder+repo:nonexistent/repo.
Observe that the API accepts the parameter and successfully processes the injected repository restriction, displaying "Commits: 0 this month" instead of rejecting the invalid username with a 400 error.
Actual Behavior: The API does not sanitize the user input parameter or restrict it to alphanumeric characters and single hyphens, allowing arbitrary search terms to be injected into the query.
Expected Behavior: The API should reject any username parameter containing characters other than alphanumeric characters and single hyphens (/^a-z\d{0,38}$/i based on official GitHub username specifications) with a 400 Bad Request status.
Severity: Medium
In the badge API routes (/api/badge/streak and /api/badge/commits), the input parameter user (GitHub username) is validated only for type and maximum length (<= 50 characters). It is then directly interpolated into the GitHub commit search query (q=author:${username}) without any character sanitization or character set validation. This allows attackers/users to perform search query injection by passing query modifiers like +repo:owner/repo or space-separated filters, which alters the intended search scope of the API and results in incorrect badge data.
Steps to reproduce:
Navigate to a valid badge URL: https://devtrack-delta.vercel.app/api/badge/commits?user=Priyanshu-byte-coder. (Displays the correct commits count, e.g. "Commits: 69 this month").
Modify the URL parameter by appending a non-existent repo filter: https://devtrack-delta.vercel.app/api/badge/commits?user=Priyanshu-byte-coder+repo:nonexistent/repo.
Observe that the API accepts the parameter and successfully processes the injected repository restriction, displaying "Commits: 0 this month" instead of rejecting the invalid username with a 400 error.
Actual Behavior: The API does not sanitize the user input parameter or restrict it to alphanumeric characters and single hyphens, allowing arbitrary search terms to be injected into the query.
Expected Behavior: The API should reject any username parameter containing characters other than alphanumeric characters and single hyphens (/^a-z\d{0,38}$/i based on official GitHub username specifications) with a 400 Bad Request status.
Severity: Medium