Missing validate_resource_name on subscription/topic names in watch and subscribe helpers #408
Description
Description
The --subscription flag value in gmail +watch and events +subscribe is interpolated directly into Pub/Sub API URLs without passing through crate::validate::validate_resource_name(). The same applies to the topic slug derived from --event-types in events +subscribe.
This is inconsistent with other code paths (e.g., --project is validated) and could allow path traversal segments (../) or query-injection characters (?, #) in the URL if an untrusted caller supplies a crafted value.
Affected code
src/helpers/gmail/watch.rs—subscriptionparameter used informat!("{base}/{subscription}:pull")and:acknowledgeURLssrc/helpers/events/subscribe.rs— same pattern, plus the slug derived from event types in topic/subscription name construction
Suggested fix
Call validate_resource_name() on the --subscription value in parse_watch_args() (watch.rs) and on the generated slug before constructing Pub/Sub resource names (subscribe.rs). The events +subscribe path already validates --subscription in parse_subscribe_args but not the auto-generated names.
Context
Identified during review of #407 — pre-existing on main, not introduced by that PR.