Merged
Conversation
…ation checks - Introduce pkg/validate with email and URL validation helpers (docs/tests included) - Email: syntax checks, optional IDN support, TLD requirements, IP-literal policy, and domain verification via DNS (MX/A); clear error types (e.g., ErrEmailDomainInvalid, ErrEmailDomainLookupFailed, ErrEmailDomainUnverified, ErrEmailIPLiteralNotAllowed) - URL: scheme allowlist, host allow/block rules, optional IP-literal support, redirect policy (depth/allow), reputation checker hook; error types (e.g., ErrURLSchemeNotAllowed, ErrURLHostMissing, ErrURLRedirectNotAllowed, ErrURLRedirectLoop, ErrURLReputationBlocked) - Docs: add usage examples and security checklist guidance for input validation - Chore: extend cspell dictionary with IDN/DNS-related terms - Deps: add/upgrade golang.org/x/net v0.48.0 and golang.org/x/text v0.32.0
…tion detector
- Introduce pkg/sanitize with focused sanitizers:
- HTMLSanitizer: escape or strip HTML (optional policy), max-length support
- MarkdownSanitizer: escape by default; option to allow raw HTML; max-length support
- SQLSanitizer: modes for Identifiers, Literals, and LIKE patterns; qualified identifiers;
proper escaping and length caps
- FilenameSanitizer: control max length, Unicode/spaces, leading dot, and replacement rules
- Add SQLInjectionDetector with normalization + pattern-based detection (configurable)
- Define clear error types for invalid inputs/configuration and length violations
- Docs: expand README and docs/usage with examples; add security-checklist guidance on sanitization
- Chore: extend cspell dictionary with sanitize-related terms
- Tests: unit tests for all sanitizers and the injection detector
Contributor
There was a problem hiding this comment.
Pull request overview
This pull request adds comprehensive input validation and sanitization functionality to the sectools library. The changes introduce two new packages (pkg/validate and pkg/sanitize) with implementations for email/URL validation and HTML/Markdown/SQL/filename sanitization.
Changes:
- Added email validation with DNS verification, IDN support, and configurable rules
- Added URL validation with HTTPS-only enforcement, redirect checking, and reputation checks
- Added HTML/Markdown sanitizers with escape/strip modes and custom policy support
- Added SQL sanitizer for identifiers, literals, and LIKE patterns with injection detection
- Added filename sanitizer for secure path segment normalization
Reviewed changes
Copilot reviewed 22 out of 23 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| pkg/validate/email.go | Email validator with RFC compliance, DNS verification, and IDN support |
| pkg/validate/url.go | URL validator enforcing HTTPS, checking redirects, and reputation |
| pkg/validate/errors.go | Error definitions for validation failures |
| pkg/validate/email_test.go | Test suite for email validation covering core scenarios |
| pkg/validate/url_test.go | Test suite for URL validation with redirect and reputation tests |
| pkg/sanitize/html.go | HTML sanitizer with escape/strip modes and policy support |
| pkg/sanitize/markdown.go | Markdown sanitizer with HTML escaping by default |
| pkg/sanitize/sql.go | SQL sanitizer for identifiers, literals, and LIKE patterns |
| pkg/sanitize/sql_detect.go | Heuristic SQL injection detector with pattern matching |
| pkg/sanitize/filename.go | Filename sanitizer for secure path segments |
| pkg/sanitize/errors.go | Error definitions for sanitization failures |
| pkg/sanitize/*_test.go | Test suites for all sanitization modules |
| docs/usage.md | Documentation for validation and sanitization APIs |
| docs/security-checklist.md | Security guidance for input validation and sanitization |
| README.md | Updated project description and usage examples |
| go.mod, go.sum | Added golang.org/x/net and golang.org/x/text dependencies |
| cspell.json | Added domain-specific terms to spell checker |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
…ility Add a blank line between the empty-local check and the dot-boundary check in pkg/validate/email.go to make the early-return conditions clearer. No functional changes; whitespace-only.
…o v0.33.0 - go.mod (indirect): golang.org/x/sys v0.39.0 → v0.40.0 - go.mod (indirect): golang.org/x/text v0.32.0 → v0.33.0 - Update go.sum to reflect new dependency versions No functional code changes; dependency maintenance only
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.