mirror of
https://github.com/larksuite/cli.git
synced 2026-07-03 14:02:43 +08:00
* feat: add FileIO extension for file transfer abstraction Introduce extension/fileio package with Provider/FileIO/File interfaces and a global registry, following the same pattern as extension/credential. - Add LocalFileIO default implementation with path validation and atomic writes - Wire FileIOProvider into Factory and resolve at runtime via RuntimeContext.FileIO() - Factory holds Provider (not resolved instance), deferring resolution to execution time
43 lines
1.3 KiB
Go
43 lines
1.3 KiB
Go
// Copyright (c) 2026 Lark Technologies Pte. Ltd.
|
|
// SPDX-License-Identifier: MIT
|
|
|
|
package validate
|
|
|
|
import (
|
|
"fmt"
|
|
"strings"
|
|
|
|
"github.com/larksuite/cli/internal/charcheck"
|
|
)
|
|
|
|
// RejectControlChars rejects C0 control characters (except \t and \n) and
|
|
// dangerous Unicode characters from user input.
|
|
//
|
|
// Delegates to charcheck.RejectControlChars — the single source of truth
|
|
// for character-level security checks.
|
|
func RejectControlChars(value, flagName string) error {
|
|
return charcheck.RejectControlChars(value, flagName)
|
|
}
|
|
|
|
// RejectCRLF rejects strings containing carriage return (\r) or line feed (\n).
|
|
// These characters enable MIME/HTTP header injection and must never appear in
|
|
// header field names, values, Content-ID, or filename parameters.
|
|
func RejectCRLF(value, fieldName string) error {
|
|
if strings.ContainsAny(value, "\r\n") {
|
|
return fmt.Errorf("%s contains invalid line break characters", fieldName)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// StripQueryFragment removes any ?query or #fragment suffix from a URL path.
|
|
// API parameters must go through structured --params flags, not embedded in
|
|
// the path, to prevent parameter injection and behaviour confusion.
|
|
func StripQueryFragment(path string) string {
|
|
for i := 0; i < len(path); i++ {
|
|
if path[i] == '?' || path[i] == '#' {
|
|
return path[:i]
|
|
}
|
|
}
|
|
return path
|
|
}
|