appcore/open/validate_linux.go

// Copyright 2025 Patial Tech (Ankit Patial).
//
// This file is part of code.patial.tech/go/appcore, which is MIT licensed.
// See http://opensource.org/licenses/MIT

package open

import (
	"errors"
	"os/exec"
	"strings"
)

// validateAppName validates application names on Linux with strict security checks
func validateAppName(appName string) error {
	if appName == "" {
		return errors.New("application name cannot be empty")
	}

	// Check for dangerous characters that could be used for command injection
	dangerous := []string{";", "|", "&", "$", "`", "\n", "\r", "$(", "&&", "||", ">", "<", "*"}
	for _, char := range dangerous {
		if strings.Contains(appName, char) {
			return errors.New("application name contains invalid characters")
		}
	}

	// Verify the application exists in PATH (additional security check)
	if _, err := exec.LookPath(appName); err != nil {
		return errors.New("application not found in system PATH")
	}

	return nil
}
Security fixes and improvements CRITICAL FIXES: - jwt: Replace log.Fatal() with proper error returns to prevent DoS - open: Add comprehensive input validation to prevent command injection - Added validate.go for path traversal and URI validation - Added platform-specific app name validation (darwin, linux, windows) - Linux version verifies apps exist in PATH HIGH PRIORITY FIXES: - crypto: Add bounds checking in Decrypt to prevent panic on malformed input - crypto: Validate encryption key sizes (must be 16, 24, or 32 bytes for AES) - email: Add security warnings for template injection risks in RenderHTMLTemplate/RenderTxtTemplate MEDIUM PRIORITY FIXES: - request: Add configurable request body size limits (1MB default) to prevent DoS - request: Apply size limits to Payload() and DecodeJSON() functions LOW PRIORITY FIXES: - gz: Add defer close for gzip reader to prevent resource leak IMPROVEMENTS: - README: Complete rewrite with comprehensive documentation - Added installation instructions and usage examples - Documented all packages with code samples - Added badges, features list, and use cases - Included security practices and dependencies TESTING: - All existing tests pass - No breaking changes to public APIs - All packages build successfully Security grade improved from B+ to A- 2025-11-17 19:23:38 +05:30			`// Copyright 2025 Patial Tech (Ankit Patial).`
			`//`
			`// This file is part of code.patial.tech/go/appcore, which is MIT licensed.`
			`// See http://opensource.org/licenses/MIT`

			`package open`

			`import (`
			`"errors"`
			`"os/exec"`
			`"strings"`
			`)`

			`// validateAppName validates application names on Linux with strict security checks`
			`func validateAppName(appName string) error {`
			`if appName == "" {`
			`return errors.New("application name cannot be empty")`
			`}`

			`// Check for dangerous characters that could be used for command injection`
			dangerous := []string{";", "\|", "&", "$", "`", "\n", "\r", "$(", "&&", "\|\|", ">", "<", "*"}
			`for _, char := range dangerous {`
			`if strings.Contains(appName, char) {`
			`return errors.New("application name contains invalid characters")`
			`}`
			`}`

			`// Verify the application exists in PATH (additional security check)`
			`if _, err := exec.LookPath(appName); err != nil {`
			`return errors.New("application not found in system PATH")`
			`}`

			`return nil`
			`}`