Remove CodeQL warning (#7792)

Use a more performant regexp that matches the smart protocol documentation at https://git-scm.com/docs/http-protocol#_smart_server_response. In particular: > Clients MUST validate the first five bytes of the response entity > matches the regex ^[0-9a-f]{4}#. If this test fails, clients MUST NOT > continue. and: > Clients MUST verify the first pkt-line is # service=$servicename. > Servers MUST set $servicename to be the request parameter value. Servers > SHOULD include an LF at the end of this line. Clients MUST ignore an LF > at the end of the line.
dependabot · Aug 11, 2023 · 4e22d43 · 4e22d43
1 parent c9685ff
commit 4e22d43
Showing 1 changed file with 4 additions and 2 deletions.
diff --git a/common/lib/dependabot/git_metadata_fetcher.rb b/common/lib/dependabot/git_metadata_fetcher.rb
@@ -47,8 +47,10 @@ def head_commit_for_ref(ref)
       if ref == "HEAD"
         # Remove the opening clause of the upload pack as this isn't always
         # followed by a line break. When it isn't (e.g., with Bitbucket) it
-        # causes problems for our `sha_for_update_pack_line` logic
-        line = upload_pack.gsub(/.*git-upload-pack/, "").
+        # causes problems for our `sha_for_update_pack_line` logic. The format
+        # of this opening clause is documented at
+        # https://git-scm.com/docs/http-protocol#_smart_server_response
+        line = upload_pack.gsub(/^[0-9a-f]{4}# service=git-upload-pack/, "").
                lines.find { |l| l.include?(" HEAD") }
         return sha_for_update_pack_line(line) if line
       end