chore: bump version to 4.5.0

Bug fixes: - Fix inverted pager detection logic (returned error instead of path) - Fix repo.Clone ignoring destination directory parameter - Fix sheet loading using append on pre-sized slices - Clean up partial files on copy failure - Trim whitespace from editor config Security: - Add path traversal protection for cheatsheet names Performance: - Move regex compilation outside search loop - Replace string concatenation with strings.Join in search Build: - Remove go:generate; embed config and usage as string literals - Parallelize release builds - Add fuzz testing infrastructure Testing: - Improve test coverage from 38.9% to 50.2% - Add fuzz tests for search, filter, tags, and validation Documentation: - Fix inaccurate code examples in HACKING.md - Add missing --conf and --all options to man page - Add ADRs for path traversal, env parsing, and search parallelization - Update CONTRIBUTING.md to reflect project policy Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-07 03:03:32 +01:00 · 2026-02-14 19:56:19 -05:00
parent 7908a678df
commit cc85a4bdb1
69 changed files with 4802 additions and 577 deletions
--- a/internal/cheatpath/validate_test.go
+++ b/internal/cheatpath/validate_test.go
@@ -1,56 +1,106 @@
 package cheatpath

 import (
+	"strings"
 	"testing"
 )

-// TestValidateValid asserts that valid cheatpaths validate successfully
-func TestValidateValid(t *testing.T) {
-
-	// initialize a valid cheatpath
-	cheatpath := Cheatpath{
-		Name:     "foo",
-		Path:     "/foo",
-		ReadOnly: false,
-		Tags:     []string{},
+func TestValidateSheetName(t *testing.T) {
+	tests := []struct {
+		name    string
+		input   string
+		wantErr bool
+		errMsg  string
+	}{
+		// Valid names
+		{
+			name:    "simple name",
+			input:   "docker",
+			wantErr: false,
+		},
+		{
+			name:    "name with slash",
+			input:   "docker/compose",
+			wantErr: false,
+		},
+		{
+			name:    "name with multiple slashes",
+			input:   "lang/go/slice",
+			wantErr: false,
+		},
+		{
+			name:    "name with dash and underscore",
+			input:   "my-cheat_sheet",
+			wantErr: false,
+		},
+		// Invalid names
+		{
+			name:    "empty name",
+			input:   "",
+			wantErr: true,
+			errMsg:  "empty",
+		},
+		{
+			name:    "parent directory traversal",
+			input:   "../etc/passwd",
+			wantErr: true,
+			errMsg:  "'..'",
+		},
+		{
+			name:    "complex traversal",
+			input:   "foo/../../etc/passwd",
+			wantErr: true,
+			errMsg:  "'..'",
+		},
+		{
+			name:    "absolute path",
+			input:   "/etc/passwd",
+			wantErr: true,
+			errMsg:  "absolute",
+		},
+		{
+			name:    "home directory",
+			input:   "~/secrets",
+			wantErr: true,
+			errMsg:  "'~'",
+		},
+		{
+			name:    "just dots",
+			input:   "..",
+			wantErr: true,
+			errMsg:  "'..'",
+		},
+		{
+			name:    "hidden file not allowed",
+			input:   ".hidden",
+			wantErr: true,
+			errMsg:  "cannot start with '.'",
+		},
+		{
+			name:    "current dir is ok",
+			input:   "./current",
+			wantErr: false,
+		},
+		{
+			name:    "nested hidden file not allowed",
+			input:   "config/.gitignore",
+			wantErr: true,
+			errMsg:  "cannot start with '.'",
+		},
 	}

-	// assert that no errors are returned
-	if err := cheatpath.Validate(); err != nil {
-		t.Errorf("failed to validate valid cheatpath: %v", err)
-	}
-}
-
-// TestValidateMissingName asserts that paths that are missing a name fail to
-// validate
-func TestValidateMissingName(t *testing.T) {
-
-	// initialize a valid cheatpath
-	cheatpath := Cheatpath{
-		Path:     "/foo",
-		ReadOnly: false,
-		Tags:     []string{},
-	}
-
-	// assert that no errors are returned
-	if err := cheatpath.Validate(); err == nil {
-		t.Errorf("failed to invalidate cheatpath without name")
-	}
-}
-
-// TestValidateMissingPath asserts that paths that are missing a path fail to
-// validate
-func TestValidateMissingPath(t *testing.T) {
-
-	// initialize a valid cheatpath
-	cheatpath := Cheatpath{
-		Name:     "foo",
-		ReadOnly: false,
-		Tags:     []string{},
-	}
-
-	// assert that no errors are returned
-	if err := cheatpath.Validate(); err == nil {
-		t.Errorf("failed to invalidate cheatpath without path")
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := ValidateSheetName(tt.input)
+			if (err != nil) != tt.wantErr {
+				t.Errorf("ValidateName(%q) error = %v, wantErr %v", tt.input, err, tt.wantErr)
+				return
+			}
+			if err != nil && tt.errMsg != "" {
+				if !strings.Contains(err.Error(), tt.errMsg) {
+					t.Errorf("ValidateName(%q) error = %v, want error containing %q", tt.input, err, tt.errMsg)
+				}
+			}
+		})
 	}
 }