Security pass

Author: osse101

internal/discord/client_maprando.go

@@ -11,6 +11,7 @@ import (
 	"net/url"
 	"os"
 	"path/filepath"
+	"regexp"
 	"strconv"
 	"strings"
 	"sync"
@@ -368,6 +369,12 @@ func (c *MapRandoClient) Unlock(seedName string, presetName string) error {
 }
 
 func (c *MapRandoClient) unlockAt(baseURL string, seedName string) error {
+	// Security: strictly validate the seedName to prevent path traversal
+	var validSeedRegex = regexp.MustCompile(`^[a-zA-Z0-9_\-]+$`)
+	if !validSeedRegex.MatchString(seedName) {
+		return fmt.Errorf("invalid seed name format: strictly alphanumeric and dashes allowed")
+	}
+
 	data := url.Values{}
 	data.Set("spoiler_token", c.spoilerToken)
 

internal/discord/cmd_maprando.go

@@ -5,7 +5,6 @@ import (
 	"log/slog"
 	"math"
 	"os"
-	"regexp"
 	"strings"
 
 	"github.com/bwmarrin/discordgo"
@@ -247,13 +246,6 @@ func MapRandoUnlockCommand(randoClient *MapRandoClient) (*discordgo.ApplicationC
 
 		seedName := strings.TrimSpace(options[0].StringValue())
 
-		// Input validation: ensure the seed name is strictly alphanumeric/dashes
-		var validSeedRegex = regexp.MustCompile(`^[a-zA-Z0-9_\-]+$`)
-		if !validSeedRegex.MatchString(seedName) {
-			respondError(s, i, "Invalid seed name. Only alphanumeric characters, dashes, and underscores are allowed.")
-			return
-		}
-
 		err := randoClient.Unlock(seedName, "")
 		if err != nil {
 			slog.Error("Failed to unlock seed", "error", err, "seed", seedName)