Tw93 951e395ab7 security: fix CodeQL command injection and path traversal alerts ...

- Add validatePath() helper to check path safety before external commands
- Validate paths in delete.go (moveToTrash), scanner.go (mdfind, du),
  and main.go (open command)
- Remove overly restrictive character whitelist that rejected valid
  macOS paths (Chinese, emoji, $, ;, etc.)
- Unify path validation logic across all three files

Fixes CodeQL alerts:
- Command injection in osascript (delete.go)
- Command injection in mdfind/du (scanner.go)
- Path traversal in open command (main.go)

2026-03-14 08:24:08 +08:00

18 KiB

Raw Blame History

View Raw