
Meet Dash O’Pepper - tayllanb
https://filipeherculano.dev/blog/dash-o-pepper/
======
tyingq
There's some other users that got in before "no leading or trailing dashes"
was enforced:

[https://api.github.com/users/A-](https://api.github.com/users/A-) (similar
for other [A-Z0-9]- accounts). Curiously, no "-[A-Z0-9]" accounts, though I
did find -cor-
[https://api.github.com/users/-cor-](https://api.github.com/users/-cor-)

And their homepages work, unlike the account in the article:
[https://github.com/a-](https://github.com/a-)
[https://github.com/-Cor-](https://github.com/-Cor-)

The newest ones I can find were created in 2013.

------
solidr53
You can go to a random user that you have not followed, and inspect the
"Follow" button, change the action of the form to "/users/follow?target=-" and
press it.

~~~
gravitas
It shows up on the search page, no need to even go that far - just search `-`
and choose Users and it can be followed from the UI.
[https://github.com/search?q=-&type=Users](https://github.com/search?q=-&type=Users)

------
andrewshadura
The Internet Archive captured the userpage of Dash:
[https://web.archive.org/web/20160128172437/https://github.co...](https://web.archive.org/web/20160128172437/https://github.com/-/)

~~~
oneeyedpigeon
I think this confirms my initial assumption — that the account _was_ once
supported, hence the followers, but GitHub has changed the rules since to make
it invalid.

------
taywrobel
Very cool find! Just checked this on the GitHub mobile beta
([https://github.com/mobile](https://github.com/mobile)), and Dash shows up in
searches and from a bit of light perusal seems fully functional
(following/unfollowing/starring).

So the 500’s on github.com are likely somewhere in the rails layer.

~~~
tyingq
I forked the repo here:
[https://github.com/tyingq/test](https://github.com/tyingq/test) and it bombs
with http 500 if I browse from desktop, but not from a mobile browser.

The README.md bombs in either:
[https://github.com/tyingq/test/blob/master/README.md](https://github.com/tyingq/test/blob/master/README.md)

Which is curious...

Edit: Unrelated, but the 500 pages pull in this js:
[https://github.com/_error.js](https://github.com/_error.js) Which has some
interesting stuff at the bottom that watches for a keypress consisting of a
backtick, that then does: _window.location =
'/site/toggle_site_admin_and_employee_status'_

~~~
taywrobel
Poking around the ruby code, it looks like it's any place that GitHub attempts
to generate a link back to itself. The formatter generates the URI and then
validates it against the route matcher, notices that the username constraint
isn't matched and bombs out at that point.

I'm not familiar enough with this code to know the potential side effects of
changing that, so I'll file an issue for now, but that' the gist of it, for
those curious!

~~~
tyingq
Interesting that [https://github.com/-Cor-](https://github.com/-Cor-) works,
so the username constraints vary in what's enforced.

------
smitop
Since GH URLs are github.com/<name>, you also can't register usernames like
@login, since that would cause a conflict. However, @case-studies and
@customer-stories both are content pages (well /case-studies redirects to
/customer-stories) and users. Those two users also cause weird things when
interacting with the website and API.

------
BossingAround
What a wholesome exploration. Nice read! :)

------
mihaitodor
Can you fork that test repo via the API?

~~~
tyingq
I was able to fork it via the API:
[https://github.com/tyingq/test](https://github.com/tyingq/test)

It acts a bit funny. Http 500 "Internal Server" errors if I access the above
url with a desktop browser, but no error if I browse it with a mobile browser.
Heh.

The - user is now showing a fork of the test repo:
[https://api.github.com/repos/-/test/forks](https://api.github.com/repos/-/test/forks)

------
zemnmez
i'd wager the restrictions on leading dashes are to prevent command switch
injection attacks on users

~~~
toast0
Perhaps, but the restrictions also line up with requirements to be a valid DNS
hostname.

~~~
zemnmez
i believe those restrictions are for the same reason. I have a few leading
dash hostnames and i only use them for attacking cli tools

------
tristor
Fun read. Their tool has a website where you can test it, but unfortunately it
only works on my personal GH username, not my work one. Seems that it's maybe
not fully-baked yet. It's an interesting idea though for a side project.

------
ChrisMarshallNY
That's a fun read. Thanks!

------
lunchables
Is it just me or is anyone else tired of these click-baity headlines? Is it to
much to ask for a short sentence that actually describes what it is?

