Validate webOS package identifiers

[jsdavid278-cyber]

Fixes #584.

Changes:

• validate tv-webos appId as a reverse-DNS app id before build/ship
• validate appinfo.version before using it in the generated .ipk filename
• add regression tests for path separators in appId and version

Validation:

• vitest run packages/targets/tv-webos/src/index.test.ts
• tsc -p packages/targets/tv-webos/tsconfig.json --noEmit

[greptile-apps]

Greptile Summary

This PR adds input validation for webOS app identifiers and package versions before the build and ship steps, guarding against path-traversal attacks where a crafted appId or appinfo.version containing ../ could escape the output directory when the .ipk filename is constructed.

• requireAppId validates the configured appId against WEBOS_APP_ID_RE (called in both packagePlan and ship); requirePackageVersion validates appinfo.version against WEBOS_VERSION_RE before it is embedded in the package filename.
• Two new regression tests confirm that appId values and version strings containing path separators are rejected before any files are written.

Confidence Score: 3/5

The path-traversal guard works correctly for the tested inputs, but the app-ID regex rejects a character class that the webOS platform explicitly permits, which would break existing users with hyphenated IDs.

The version guard and the overall flow are solid. However, WEBOS_APP_ID_RE excludes minus signs even though the official webOS TV specification lists them as valid characters in an app ID. Any user whose app ID contains a hyphen (e.g. com.acme.my-app, com.lgdev.hello-world) will see their previously-working build fail immediately after adopting this change. The same regex also passes uppercase-letter IDs that the platform would reject, giving false confidence.

packages/targets/tv-webos/src/index.ts — specifically the WEBOS_APP_ID_RE constant on line 26

Important Files Changed

Filename	Overview
packages/targets/tv-webos/src/index.ts	Adds requireAppId and requirePackageVersion guards. The WEBOS_APP_ID_RE regex rejects valid hyphenated IDs (e.g. com.acme.my-app) and accepts uppercase letters, both of which contradict the official webOS TV spec.
packages/targets/tv-webos/src/index.test.ts	Two new regression tests cover path-separator injection in appId and appinfo.version; existing tests are unmodified and pass through unchanged.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[build / ship called] --> B[requireAppId config.appId]
    B -->|fails WEBOS_APP_ID_RE| C[throw: invalid appId]
    B -->|passes| D[resolve sourceDir]
    D --> E[readAppInfo sourceDir appId]
    E --> F{appInfo.id === appId?}
    F -->|no| G[throw: id mismatch]
    F -->|yes| H[requirePackageVersion appInfo.version]
    H -->|fails WEBOS_VERSION_RE| I[throw: invalid version]
    H -->|passes| J[requireValue title / main]
    J --> K[access main / icon files]
    K --> L[build packageName = appId_version.ipk]
    L --> M[write webos-package-plan.json]

Loading

_{Reviews (1): Last reviewed commit: "Validate webOS package identifiers" | Re-trigger Greptile}

[greptile-apps]

The WEBOS_APP_ID_RE pattern rejects hyphenated app IDs that the official webOS TV platform explicitly permits. The LG developer docs state the id field allows "lowercase letters (a-z), digits (0-9), minus signs, and periods." A user with an existing valid ID like com.acme.my-app or com.lgdev.hello-world would hit a validation error from sh1pt, breaking a previously-working flow. The same pattern also admits uppercase letters, which the spec disallows (all labels must be a-z).

Suggested change

	const WEBOS_APP_ID_RE = /^[a-zA-Z][a-zA-Z0-9]*(?:\.[a-zA-Z][a-zA-Z0-9]*)+$/;
	const WEBOS_APP_ID_RE = /^[a-z0-9][a-z0-9-]*(?:\.[a-z0-9][a-z0-9-]*)+$/;