fix(server): validate branch name in set_default_branch

Call validate_ref_name on the user-provided branch name before
constructing the symbolic-ref argument to prevent command injection.

server/repository.rs

@@ -206,6 +206,8 @@ impl repository_service_server::RepositoryService for GitksService {
             }
             Err(err) => return Err(err),
         };
+        crate::sanitize::validate_ref_name(&inner.name)
+            .map_err(|e| tonic::Status::invalid_argument(e.to_string()))?;
         let refname = format!("refs/heads/{}", inner.name);
         git_cmd(&gb, &["symbolic-ref", "HEAD", &refname])?;
         tracing::info!(%repo, %name, "default branch set");