validate

package
v1.0.13 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 22, 2026 License: Apache-2.0 Imports: 4 Imported by: 0

Documentation

Overview

Package validate provides input sanitization and validation functions to prevent injection attacks (control characters, CRLF, Unicode spoofing, ANSI escape sequences) at the CLI boundary.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func EncodePathSegment 

func EncodePathSegment(s string) string

EncodePathSegment percent-encodes user input for safe use as a single URL path segment (e.g. / → %2F, ? → %3F), ensuring the value cannot alter URL routing when interpolated into an API path.

func RejectCRLF 

func RejectCRLF(value, fieldName string) error

RejectCRLF rejects strings containing carriage return (\r) or line feed (\n). These characters enable MIME/HTTP header injection and must never appear in header values, filenames, or single-line parameters.

func RejectControlChars 

func RejectControlChars(value, flagName string) error

RejectControlChars rejects C0 control characters (except \t and \n) and dangerous Unicode characters from user input.

Control characters cause subtle security issues: null bytes truncate strings at the C layer, \r enables HTTP header injection via CRLF. Dangerous Unicode characters allow visual spoofing (e.g. making "admin" appear as a different string via Bidi overrides).

func ResourceName 

func ResourceName(name, flagName string) error

ResourceName validates an API resource identifier (userId, taskId, etc.) before it is interpolated into a URL path. It rejects path traversal (..), URL metacharacters (?#%), percent-encoded bypasses, control characters, and dangerous Unicode.

Without this check, an input like "../admin" or "?evil=true" in a resource ID would alter the API endpoint.

func SanitizeForTerminal 

func SanitizeForTerminal(text string) string

SanitizeForTerminal strips ANSI escape sequences, C0 control characters (except \n and \t), and dangerous Unicode from text. Apply to table-format output and stderr messages, but NOT to json output where consumers need raw data.

API responses may contain injected ANSI sequences that clear the screen, fake a colored "OK" status, or change the terminal title. In AI Agent scenarios, such injections can pollute the LLM's context window.

func StripQueryFragment 

func StripQueryFragment(path string) string

StripQueryFragment removes any ?query or #fragment suffix from a URL path. API parameters must go through structured flags, not embedded in the path, to prevent parameter injection.

Types

This section is empty.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.