feat: add on-demand deploy by ogzhanolguncu · Pull Request #5370

feat: add on-demand deploy by ogzhanolguncu · Pull Request #5370 · unkeyed/unkey

356-356: ⚠️ Potential issue | 🟠 Major

Use GitHub’s default branch as the source of truth.

Line 356 makes the branch client-controlled, and Lines 379-396 / 409-412 use it for tree lookup, Dockerfile detection, and branch injection. If that value is stale or tampered with, this endpoint can 404 or report the wrong repo metadata. This route already fetches repoData, so it should derive defaultBranch from repoData.default_branch instead.

🔧 Minimal fix

       z.object({
         projectId: z.string(),
         installationId: z.number().int(),
         owner: z.string(),
         repo: z.string(),
-        defaultBranch: z.string(),
       }),
     )
     .query(async ({ ctx, input }) => {
@@
-      const [treeResult, activeBranches, repoData] = await Promise.all([
-        getRepositoryTree(input.installationId, input.owner, input.repo, input.defaultBranch),
-        // If the events API fails, fall back to an empty list so the branch fallback logic kicks in
-        getMostActiveBranches(input.installationId, input.owner, input.repo).catch(
-          (): BranchActivity[] => [],
-        ),
-        getRepository(input.installationId, input.owner, input.repo),
-      ]);
+      const repoData = await getRepository(input.installationId, input.owner, input.repo);
+      const defaultBranch = repoData.default_branch;
+      const [treeResult, activeBranches] = await Promise.all([
+        getRepositoryTree(input.installationId, input.owner, input.repo, defaultBranch),
+        // If the events API fails, fall back to an empty list so the branch fallback logic kicks in
+        getMostActiveBranches(input.installationId, input.owner, input.repo).catch(
+          (): BranchActivity[] => [],
+        ),
+      ]);
@@
-          input.defaultBranch,
+          defaultBranch,
@@
-        if (!branches.some((b) => b.name === input.defaultBranch)) {
+        if (!branches.some((b) => b.name === defaultBranch)) {
           branches.unshift({
-            name: input.defaultBranch,
+            name: defaultBranch,
             lastPushDate: null,
           });
         }

Also applies to: 378-385, 391-396, 409-412

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@web/apps/dashboard/lib/trpc/routers/github.ts` at line 356, The handler
currently trusts the client-provided input field defaultBranch and uses it for
tree lookups, Dockerfile detection and branch injection; instead derive the
branch from repoData.default_branch (the repoData object fetched earlier) and
replace uses of the input defaultBranch with repoData.default_branch (e.g., set
branch = repoData.default_branch before calling the tree API, Dockerfile
detection, and injection logic). Remove or ignore the input schema field
defaultBranch (z.string()) or mark it unused, and ensure all references in this
file that previously read defaultBranch (lines handling tree lookup, Dockerfile
detection, and branch injection) use repoData.default_branch so the repository's
actual default branch is the source of truth.