From 3b7938df3df5d0ae31bd0b26348ae819eea545bb Mon Sep 17 00:00:00 2001 From: Gbolahan-Aziz Date: Wed, 10 Jun 2026 10:36:19 +0100 Subject: [PATCH] fix: prevent branch names starting with hex chars from matching commit ID pattern --- checkov/common/goget/github/get_git.py | 2 +- tests/common/goget/test_goget_github.py | 26 +++++++++++++++++++++++++ 2 files changed, 27 insertions(+), 1 deletion(-) diff --git a/checkov/common/goget/github/get_git.py b/checkov/common/goget/github/get_git.py index 982c7f2659..09d8f69e96 100644 --- a/checkov/common/goget/github/get_git.py +++ b/checkov/common/goget/github/get_git.py @@ -15,7 +15,7 @@ except ImportError as e: git_import_error = e -COMMIT_ID_PATTERN = re.compile(r"\?(ref=)(?P([0-9a-f]{5,40}))") +COMMIT_ID_PATTERN = re.compile(r"\?(ref=)(?P([0-9a-f]{5,40}))(?:&|$)") TAG_PATTERN = re.compile(r'\?(ref=)(?P(.*))') # technically should be with ?ref=tags/ but this catches both BRANCH_PATTERN = re.compile(r'\?(ref=heads/)(?P(.*))') diff --git a/tests/common/goget/test_goget_github.py b/tests/common/goget/test_goget_github.py index c9f144bca7..b70fb8ce79 100644 --- a/tests/common/goget/test_goget_github.py +++ b/tests/common/goget/test_goget_github.py @@ -267,5 +267,31 @@ def capture_env(*args, **kwargs): mock_repo.clone_from.assert_called_once() + def test_parse_branch_name_starting_with_hex_chars(self): + """Branch names that start with hex characters should not be mistaken for commit IDs. + + Regression test for https://github.com/bridgecrewio/checkov/issues/XXXX: + A ref like '1014016-chekov-branch-bug' starts with 7 valid hex characters. + The old COMMIT_ID_PATTERN (without an end anchor) partially matched '1014016', + stripped only that portion from the URL, and left '-chekov-branch-bug' dangling + — corrupting the repo name in the resulting git clone command. + """ + url = "ssh://git@ssh.dev.azure.com/v3/Company/cat-tf-modules?ref=1014016-chekov-branch-bug" + getter = GitGetter(url) + git_url = getter.extract_git_ref(url) + + self.assertEqual( + "ssh://git@ssh.dev.azure.com/v3/Company/cat-tf-modules", + git_url, + "URL should not have the branch name appended to the repo path", + ) + self.assertIsNone(getter.commit_id, "Should not be parsed as a commit ID") + self.assertEqual( + "1014016-chekov-branch-bug", + getter.tag, + "Branch/tag name should be captured in full", + ) + + if __name__ == '__main__': unittest.main()