PR Review suggestions

Signed-off-by: sallyom <somalley@redhat.com>

Author: sallyom

components/backend/crd/bugfix.go

@@ -3,6 +3,7 @@ package crd
 import (
 	"context"
 	"fmt"
+	"log"
 
 	"ambient-code-backend/types"
 
@@ -113,8 +114,16 @@ func GetProjectBugFixWorkflowCR(dyn dynamic.Interface, project, id string) (*typ
 
 	spec, found, _ := unstructured.NestedMap(obj.Object, "spec")
 	if found {
+		// Parse githubIssueNumber with type safety - handle both int64 and float64
+		// JSON unmarshaling can produce either depending on the source
 		if val, ok := spec["githubIssueNumber"].(int64); ok {
 			workflow.GithubIssueNumber = int(val)
+		} else if val, ok := spec["githubIssueNumber"].(float64); ok {
+			workflow.GithubIssueNumber = int(val)
+		} else if spec["githubIssueNumber"] != nil {
+			// Log warning if type assertion fails - helps debug unexpected types
+			log.Printf("Warning: githubIssueNumber has unexpected type %T in BugFixWorkflow %s/%s",
+				spec["githubIssueNumber"], project, id)
 		}
 		if val, ok := spec["githubIssueURL"].(string); ok {
 			workflow.GithubIssueURL = val

components/backend/handlers/bugfix/create.go

@@ -4,6 +4,7 @@ import (
 	"fmt"
 	"log"
 	"net/http"
+	"regexp"
 	"strings"
 	"time"
 
@@ -24,6 +25,31 @@ var (
 	GetProjectSettingsResource func() schema.GroupVersionResource
 )
 
+// validBranchNameRegex defines allowed characters in branch names
+// Allows: letters, numbers, hyphens, underscores, forward slashes, and dots
+// Prevents: shell metacharacters, backticks, quotes, semicolons, pipes, etc.
+var validBranchNameRegex = regexp.MustCompile(`^[a-zA-Z0-9/_.-]+$`)
+
+// validateBranchName checks if a branch name is safe to use in git operations
+// Returns error if the branch name contains potentially dangerous characters
+func validateBranchName(branchName string) error {
+	if branchName == "" {
+		return fmt.Errorf("branch name cannot be empty")
+	}
+	if !validBranchNameRegex.MatchString(branchName) {
+		return fmt.Errorf("branch name contains invalid characters (allowed: a-z, A-Z, 0-9, /, _, -, .)")
+	}
+	// Prevent branch names that start with special characters
+	if strings.HasPrefix(branchName, ".") || strings.HasPrefix(branchName, "-") {
+		return fmt.Errorf("branch name cannot start with '.' or '-'")
+	}
+	// Prevent branch names with ".." (path traversal) or "//" (double slashes)
+	if strings.Contains(branchName, "..") || strings.Contains(branchName, "//") {
+		return fmt.Errorf("branch name cannot contain '..' or '//'")
+	}
+	return nil
+}
+
 // CreateProjectBugFixWorkflow handles POST /api/projects/:projectName/bugfix-workflows
 // Creates a new BugFix Workspace from either GitHub Issue URL or text description
 func CreateProjectBugFixWorkflow(c *gin.Context) {
@@ -165,6 +191,11 @@ func CreateProjectBugFixWorkflow(c *gin.Context) {
 	branch := "main"
 	if req.BranchName != nil && *req.BranchName != "" {
 		branch = *req.BranchName
+		// Validate user-provided branch name for security
+		if err := validateBranchName(branch); err != nil {
+			c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid branch name", "details": err.Error()})
+			return
+		}
 	} else {
 		// Auto-generate branch name: bugfix/gh-{issue-number}
 		branch = fmt.Sprintf("bugfix/gh-%d", githubIssue.Number)

components/backend/handlers/bugfix/sessions.go

@@ -1,7 +1,6 @@
 package bugfix
 
 import (
-	"context"
 	"fmt"
 	"log"
 	"net/http"
@@ -427,7 +426,7 @@ func CreateProjectBugFixWorkflowSession(c *gin.Context) {
 		},
 	}
 
-	created, err := reqDyn.Resource(gvr).Namespace(project).Create(context.TODO(), sessionObj, v1.CreateOptions{})
+	created, err := reqDyn.Resource(gvr).Namespace(project).Create(c.Request.Context(), sessionObj, v1.CreateOptions{})
 	if err != nil {
 		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to create session", "details": err.Error()})
 		return