[repo-monitor] Medium: actor_id interpolated into URL path without validation — path injection risk

## Summary
`actor_id` is inserted verbatim into a URL format string without validation or percent-encoding, enabling path injection if the value contains `../` sequences.

## Location
- **File**: `src/lib.rs`
- **Line(s)**: 166–167, 198

## Severity
**Medium**

## Details
```rust
let url = format!("{}/acts/{}/runs?token={}", self.api_base, actor_id, api_key);
```
`reqwest`/`url` crate normalizes path segments, so `actor_id = "../../admin"` could result in a request to `/admin/runs` instead of the intended path.

## Suggested Fix
Validate `actor_id` against an allowlist pattern before use:
```rust
if !actor_id.chars().all(|c| c.is_alphanumeric() || c == '~' || c == '_' || c == '-' || c == '/') {
    return Err(Error::InvalidActorId(actor_id.to_string()));
}
```


---
*Automated finding by repo-monitor*

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[repo-monitor] Medium: actor_id interpolated into URL path without validation — path injection risk #5

Summary

Location

Severity

Details

Suggested Fix

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

[repo-monitor] Medium: actor_id interpolated into URL path without validation — path injection risk #5

Description

Summary

Location

Severity

Details

Suggested Fix

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions