Validate ensures that a cheatsheet name does not contain directory traversal sequences or other potentially dangerous patterns.
(name string)
| 9 | // Validate ensures that a cheatsheet name does not contain |
| 10 | // directory traversal sequences or other potentially dangerous patterns. |
| 11 | func Validate(name string) error { |
| 12 | // Reject empty names |
| 13 | if name == "" { |
| 14 | return fmt.Errorf("cheatsheet name cannot be empty") |
| 15 | } |
| 16 | |
| 17 | // Reject names containing directory traversal |
| 18 | if strings.Contains(name, "..") { |
| 19 | return fmt.Errorf("cheatsheet name cannot contain '..'") |
| 20 | } |
| 21 | |
| 22 | // Reject absolute paths |
| 23 | if filepath.IsAbs(name) { |
| 24 | return fmt.Errorf("cheatsheet name cannot be an absolute path") |
| 25 | } |
| 26 | |
| 27 | // Reject names that start with ~ (home directory expansion) |
| 28 | if strings.HasPrefix(name, "~") { |
| 29 | return fmt.Errorf("cheatsheet name cannot start with '~'") |
| 30 | } |
| 31 | |
| 32 | // Reject hidden files (files that start with a dot) |
| 33 | // We don't display hidden files, so we shouldn't create them |
| 34 | filename := filepath.Base(name) |
| 35 | if strings.HasPrefix(filename, ".") { |
| 36 | return fmt.Errorf("cheatsheet name cannot start with '.' (hidden files are not supported)") |
| 37 | } |
| 38 | |
| 39 | return nil |
| 40 | } |
no outgoing calls