validate

package
v1.0.6 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 8, 2026 License: MIT Imports: 11 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func AtomicWrite 

func AtomicWrite(path string, data []byte, perm os.FileMode) error

AtomicWrite writes data to path atomically. Delegates to localfileio.AtomicWrite.

func AtomicWriteFromReader 

func AtomicWriteFromReader(path string, reader io.Reader, perm os.FileMode) (int64, error)

AtomicWriteFromReader atomically copies reader contents into path. Delegates to localfileio.AtomicWriteFromReader.

func EncodePathSegment 

func EncodePathSegment(s string) string

EncodePathSegment percent-encodes user input for safe use as a single URL path segment (e.g. / → %2F, ? → %3F, # → %23), ensuring the value cannot alter the URL routing structure when interpolated into an API path.

This provides defense-in-depth alongside ResourceName: ResourceName rejects known dangerous patterns at the input layer, while EncodePathSegment acts as a fallback at the concatenation layer — if ResourceName rules are relaxed in the future, or if an API path bypasses ResourceName validation (e.g. cmd/service/ generic calls), encoding still prevents special characters from being interpreted as path separators or query parameters.

Convention: all user-provided variables in fmt.Sprintf API paths within shortcuts/ MUST be wrapped with this function.

func NewDownloadHTTPClient 

func NewDownloadHTTPClient(base *http.Client, opts DownloadHTTPClientOptions) *http.Client

NewDownloadHTTPClient clones base client and enforces download-safe redirect and connection rules for untrusted URLs.

func RejectCRLF 

func RejectCRLF(value, fieldName string) error

RejectCRLF rejects strings containing carriage return (\r) or line feed (\n). These characters enable MIME/HTTP header injection and must never appear in header field names, values, Content-ID, or filename parameters.

func RejectControlChars 

func RejectControlChars(value, flagName string) error

RejectControlChars rejects C0 control characters (except \t and \n) and dangerous Unicode characters from user input.

Delegates to charcheck.RejectControlChars — the single source of truth for character-level security checks.

func ResourceName 

func ResourceName(name, flagName string) error

ResourceName validates an API resource identifier (messageId, fileToken, etc.) before it is interpolated into a URL path via fmt.Sprintf. It rejects path traversal (..), URL metacharacters (?#%), percent-encoded bypasses (%2e%2e), control characters, and dangerous Unicode.

Without this check, an input like "../admin" or "?evil=true" in a message ID would alter the API endpoint the request is sent to. Works alongside EncodePathSegment for defense-in-depth.

func SafeEnvDirPath added in v1.0.6 

func SafeEnvDirPath(path, envName string) (string, error)

SafeEnvDirPath validates an environment-provided application directory path. Delegates to localfileio.SafeEnvDirPath.

func SafeInputPath 

func SafeInputPath(path string) (string, error)

SafeInputPath validates an upload/read source path. Delegates to localfileio.SafeInputPath.

func SafeLocalFlagPath 

func SafeLocalFlagPath(flagName, value string) (string, error)

SafeLocalFlagPath validates a flag value as a local file path. Delegates to localfileio.SafeLocalFlagPath.

func SafeOutputPath 

func SafeOutputPath(path string) (string, error)

SafeOutputPath validates a download/export target path. Delegates to localfileio.SafeOutputPath.

func SanitizeForTerminal 

func SanitizeForTerminal(text string) string

SanitizeForTerminal strips ANSI escape sequences, C0 control characters (except \n and \t), and dangerous Unicode from text, preserving the actual readable content. It should be applied to table format output and stderr messages, but NOT to json/ndjson output where programmatic consumers need the raw data.

API responses may contain injected ANSI sequences that clear the screen, fake a colored "OK" status, or change the terminal title. In AI Agent scenarios, such injections can also pollute the LLM's context window with misleading output.

func StripQueryFragment 

func StripQueryFragment(path string) string

StripQueryFragment removes any ?query or #fragment suffix from a URL path. API parameters must go through structured --params flags, not embedded in the path, to prevent parameter injection and behaviour confusion.

func ValidateDownloadSourceURL 

func ValidateDownloadSourceURL(ctx context.Context, rawURL string) error

ValidateDownloadSourceURL validates a download URL and blocks local/internal targets.

Types

type DialContextFunc added in v1.0.3 

type DialContextFunc func(ctx context.Context, network, addr string) (net.Conn, error)

DialContextFunc is the signature for DialContext / DialTLSContext.

func WrapDialContextWithIPCheck added in v1.0.3 

func WrapDialContextWithIPCheck(origDial DialContextFunc) DialContextFunc

WrapDialContextWithIPCheck wraps a DialContext function to validate the remote IP after connection, rejecting local/internal addresses (SSRF protection).

type DownloadHTTPClientOptions 

type DownloadHTTPClientOptions struct {
	// AllowHTTP controls whether plain HTTP URLs are permitted.
	// If false, any HTTP URL (initial or redirect target) is rejected.
	AllowHTTP bool
	// MaxRedirects limits follow-up redirects. Zero or negative uses default.
	MaxRedirects int
}

DownloadHTTPClientOptions controls redirect and scheme behavior for untrusted-source downloads.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.