security: suggested patches for semgrep high findings

[jekal1662-lang]

gogcli security patches - suggested changes

This folder contains suggested fixes for high-severity findings reported by semgrep.

1. Avoid github context interpolation in GitHub Actions run steps

• Change run: steps that use ${{ github.* }} directly to use env: variables and reference them safely.

• Example change (in .github/workflows/release.yml):

  BAD

  run: echo "Releasing ${{ github.ref }}" && ./release.sh

  GOOD

  env:
  GITHUB_REF: "${{ github.ref }}"
  run: |
  echo "Releasing "$GITHUB_REF""
  ./release.sh

2. Sanitize exec.Command inputs

• Avoid passing unchecked user input to exec.Command. Validate against an allowlist or construct fixed arguments.
• Example fix: if opening a browser with a URL, ensure the URL is validated and not directly concatenated into a shell command.

3. Open redirect mitigation

• For endpoints that redirect to user-provided URLs, implement an allowlist of domains or only permit relative paths.

4. ResponseWriter XSS mitigation

• Use html/template for rendering and ensure values are escaped.

For each recommended change below there is a suggested diff file (UNAPPLIED) and a short explanation.

[jekal1662-lang]

Automated security suggestion: added patches and report under security/patches. Summary: avoid direct github context interpolation in workflow run steps; validate URLs before exec/open. @steipete please review. If you prefer, I can open a follow-up PR with applied changes.

[jekal1662-lang]

Maintainer ping: @steipete — created PR with suggested security improvements (workflow env, exec validation). These are conservative changes aimed at reducing injection risk; happy to adjust per project style. /cc @maintainers