VALIDATION_FUNCTIONS_REFERENCE - nself-org/cli GitHub Wiki
This document provides a quick reference for all input validation functions added to prevent injection attacks.
validate_service_name <service_name>
# Whitelist: api, storage, bandwidth, compute, database, functions
# Usage: validate_service_name "api" || return 1validate_quantity <quantity>
# Pattern: ^[0-9]+(\.[0-9]+)?$ (no negative numbers)
# Usage: validate_quantity "1000.50" || return 1
validate_alert_threshold <threshold>
# Range: 0-100, numeric only
# Usage: validate_alert_threshold "75" || return 1
validate_limit <limit> [max_limit]
# Default max: 1000, prevents DOS
# Usage: validate_limit "50" 10000 || return 1validate_customer_id <customer_id>
# Pattern: ^[a-zA-Z0-9_-]+$ (max 255 chars)
# SQL injection prevention
# Usage: validate_customer_id "cust_123" || return 1validate_date_format <date_string>
# Format: YYYY-MM-DD HH:MM:SS
# SQL injection prevention for timestamps
# Usage: validate_date_format "2026-01-30 14:30:45" || return 1validate_period <period>
# Whitelist: hourly, daily, monthly
# Usage: validate_period "daily" || return 1
validate_format <format>
# Whitelist: json, csv, table, xlsx
# Usage: validate_format "json" || return 1validate_metadata <json_string>
# Validates JSON structure, prevents injection
# Usage: validate_metadata '{"key":"value"}' || return 1
sanitize_metadata_json <json_string>
# Escapes single quotes for SQL safety
# Returns: escaped string
# Usage: safe=$(sanitize_metadata_json "$metadata")validate_brand_name <brand_name>
# Pattern: ^[a-zA-Z0-9[:space:]_-]+$ (max 255 chars)
# Command injection prevention
# Usage: validate_brand_name "My Company" || return 1validate_tenant_id <tenant_id>
# Pattern: ^[a-zA-Z0-9_-]+$ (max 64 chars)
# Path traversal prevention
# Usage: validate_tenant_id "tenant-123" || return 1validate_logo_type <logo_type>
# Whitelist: main, icon, email, favicon
# Usage: validate_logo_type "main" || return 1
validate_file_extension <file_path> <allowed_extensions>
# Case-insensitive, whitelist-based
# Usage: validate_file_extension "logo.png" "png jpg jpeg svg webp" || return 1
validate_file_size <file_path> <max_size_mb>
# Cross-platform (GNU & BSD stat)
# Usage: validate_file_size "logo.png" 5 || return 1
validate_file_magic_bytes <file_path> <expected_mime_type>
# Binary file type verification (defeats spoofing)
# Usage: validate_file_magic_bytes "logo.png" "image/png" || return 1validate_string_length <value> <min_length> <max_length> [field_name]
# Length constraints for all text inputs
# Usage: validate_string_length "tagline" 0 500 "Tagline" || return 1validate_css_security <css_file_path>
# Checks for: javascript:, expression(), behavior:
# Warns about: @import, external URLs
# XSS prevention
# Usage: validate_css_security "style.css" || return 1escape_html <text>
# Escapes: &, <, >, ", '
# Returns: HTML-escaped text
# Usage: safe=$(escape_html "$brand_name")
escape_json_string <text>
# Escapes: \, ", newlines, tabs, etc.
# Returns: JSON-safe string
# Usage: safe=$(escape_json_string "$description")validate_template_type <template_type>
# Whitelist: welcome, password-reset, verify-email, invite, password-change,
# account-update, notification, alert
# Usage: validate_template_type "welcome" || return 1validate_language_code <language_code>
# Pattern: ^[a-z]{2}(-[a-zA-Z]{2,4})?$
# ISO 639-1 format: en, en-US, zh-CN, etc.
# Path traversal prevention
# Usage: validate_language_code "en-US" || return 1validate_variable_name <variable_name>
# Pattern: ^[A-Z][A-Z0-9_]*$ (uppercase only, max 64 chars)
# Command injection prevention
# Usage: validate_variable_name "USER_NAME" || return 1
validate_variable_value <variable_value> [field_name]
# Max 10,000 chars, checks for: $(), `, eval, exec
# Code injection prevention
# Usage: validate_variable_value "John Doe" "User Name" || return 1validate_email_subject <subject_line>
# Non-empty, max 255 chars (RFC 5322)
# Header injection prevention
# Usage: validate_email_subject "Welcome to nself" || return 1validate_template_variables <template_content> [var1=val1] [var2=val2] ...
# Extracts {{VAR_NAME}} patterns, checks if provided
# Runtime variable validation
# Usage: validate_template_variables "$template" "USER_NAME=John" || return 0sanitize_url <url>
# Rejects: javascript:, data:, vbscript:
# Only allows: http://, https://, /
# XSS prevention
# Usage: safe_url=$(sanitize_url "$action_url") || return 1escape_html_for_email <text>
# Escapes HTML special characters for email context
# Returns: HTML-safe text
# Usage: safe=$(escape_html_for_email "$user_name")validate_service_name "$service" || return 1
validate_quantity "$qty" || return 1
# Continue with safe inputs...if ! validate_metadata "$json"; then
error "Invalid metadata"
return 1
fisafe_name=$(escape_html "$brand_name")
safe_url=$(sanitize_url "$action_url")
# Use escaped values in outputvalidate_file_extension "$path" "png jpg" || return 1
validate_file_size "$path" 5 || return 1
validate_file_magic_bytes "$path" "image/png" || return 1
# File is safe to use| System | File | Validations |
|---|---|---|
| Billing | /src/lib/billing/usage.sh |
23 functions |
| Branding | /src/lib/whitelabel/branding.sh |
42 functions |
/src/lib/whitelabel/email-templates.sh |
20 functions |
All validation functions follow consistent error message patterns:
# Format errors
"Error: Field too long (X chars). Maximum: Y"
# Format errors
"Error: Invalid X format. Must be Y"
# Injection attempts
"Error: X contains potentially dangerous code"
# Unsupported values
"Error: Invalid X. Must be one of: Y, Z"When using these validation functions:
- Validate ALL user inputs at entry points
- Validate parameters from external APIs
- Return 1 on validation failure (bash convention)
- Log validation failures for security monitoring
- Use escape functions before output
- Apply context-specific escaping (HTML vs JSON)
- Test with known attack vectors
- Update this guide when adding new validations
# These should FAIL validation:
validate_service_name "api'; DROP TABLE--"
validate_customer_id "123' OR '1'='1"
validate_metadata '{"x":"y"}; DROP TABLE--'# These should FAIL validation:
validate_brand_name "\$(rm -rf /)"
validate_variable_name "USER; rm -rf /"
validate_template_type "$(whoami)"# These should FAIL or be escaped:
validate_variable_value "<script>alert(1)</script>"
escape_html_for_email "<img src=x onerror=alert(1)>"
sanitize_url "javascript:alert(1)"# These should FAIL validation:
validate_tenant_id "../../../etc/passwd"
validate_template_type "../../../../etc/passwd"
validate_language_code "../../../evil"# Extension spoofing - would FAIL:
validate_file_extension "malware.exe" "png jpg"
# Magic bytes - would FAIL:
validate_file_magic_bytes "actually_exe.png" "image/png"
# Size DOS - would FAIL:
validate_file_size "huge_file.png" 5 # when file > 5MB- All validations are O(n) where n = input size (< 10KB typical)
- Pattern matching: < 1ms per validation
- File operations: ~1-5ms per file
- Overall impact: negligible (< 50ms per request)
# If legitimate input is rejected, check:
# 1. Input doesn't contain special characters
# 2. Input is within length limits
# 3. Input matches the documented format
# 4. Input isn't being double-escaped
# Example: Brand names must allow spaces
validate_brand_name "My Company" || return 1 # Should pass# To add custom validation:
my_custom_validate() {
local input="$1"
# Your validation logic
[[ "$input" =~ ^pattern$ ]] || return 1
return 0
}
# Use in your code
my_custom_validate "$user_input" || return 1Last Updated: January 30, 2026 Status: Production Ready ✅