fix(security): validate and sanitize github usernames in API routes

[harshitanagpal05]

Summary

Fixes [Security] GitHub API URL path traversal and search query injection via unsanitized username parameter #857.

Changes

• Added shared validator: src/lib/validate-github-username.ts
• Applied validation guard to:
  • src/app/api/metrics/compare/route.ts
  • src/app/api/metrics/contributions/route.ts
  • src/app/api/badge/commits/route.ts
  • src/app/api/badge/streak-shield/route.ts
• Added URL hardening:
  • encodeURIComponent() for GitHub path segments where username is interpolated
  • URL/URLSearchParams for query construction to prevent injection
• Added tests:
  • test/validate-github-username.test.js

Security impact

• Blocks path traversal attempts via username in GitHub API path usage.
• Blocks search query injection in unauthenticated badge endpoints.

Validation

• Static diagnostics for changed files: no errors.
• Note: full local test/type-check execution in this environment was limited by missing local TypeScript toolchain.
  closes [Security] GitHub API URL path traversal and search query injection via unsanitized username parameter #857

[vercel]

@harshitanagpal05 is attempting to deploy a commit to the PRIYANSHU DOSHI's projects Team on Vercel.

A member of the Team first needs to authorize it.

[github-actions]

GSSoC Label Checklist 🏷️

@Priyanshu-byte-coder — please apply the appropriate labels before merging:

Difficulty (pick one):

• level:beginner — 20 pts
• level:intermediate — 35 pts
• level:advanced — 55 pts
• level:critical — 80 pts

Quality (optional):

• quality:clean — ×1.2 multiplier
• quality:exceptional — ×1.5 multiplier

Validation (required to score):

• gssoc:approved — counts for points
• gssoc:invalid / gssoc:spam / gssoc:ai-slop — does not score

Type labels (type:*) are auto-detected from files and title. Review and adjust if needed.
Points formula: (difficulty × quality_multiplier) + type_bonus

[github-actions]

Thanks for your first PR on DevTrack! 🎉

A maintainer will review it within 48 hours. While you wait:

• Make sure CI is passing (type-check + lint)
• Double-check the PR description is filled out and the issue is linked
• Feel free to ask questions in Discussions if you need help

If you find DevTrack useful, a ⭐ star on the repo is always appreciated — it helps the project grow and attract more contributors!

[Priyanshu-byte-coder]

Changes needed before merge:

compare/route.ts — cache still uses next: { revalidate: 3600 }
All 4 fetch() calls in the compare route still pass next: { revalidate: 3600 }. This was the root cause of the cross-user data leak fixed in commit 435d85f — Next.js keys the cache by URL, so User A's authenticated GitHub response gets served to User B querying the same username. Please change all 4 to cache: "no-store":

// All fetch() calls in compare/route.ts
{ headers: { Authorization: `Bearer ${session.accessToken}` }, cache: "no-store" }

The validate-github-username.ts utility and URL API injection prevention are excellent — ready to merge once the cache issue is fixed. Please rebase on main first (commit 435d85f is already there).

[harshitanagpal05]

hey! @Priyanshu-byte-coder, I’ve implemented the requested fix in the compare API route and pushed it to the PR branch. All GitHub fetch calls in route.ts now use cache: "no-store" instead of next: { revalidate: 3600 }.