Sync from /srv/compose/unified-media-manager

internal/service/safety.go

@@ -0,0 +1,56 @@
+package service
+
+import (
+	"net/url"
+	"path/filepath"
+	"strings"
+)
+
+var dangerousExtensions = map[string]bool{
+	".exe": true, ".bat": true, ".cmd": true, ".scr": true,
+	".js": true, ".vbs": true, ".com": true, ".ps1": true,
+	".sh": true, ".wsf": true, ".wsh": true, ".msi": true,
+	".dll": true, ".lnk": true, ".inf": true, ".reg": true,
+	".vbe": true, ".jse": true, ".cpl": true, ".hta": true,
+}
+
+type SafetyBlockResult struct {
+	Blocked          bool   `json:"blocked"`
+	Reason           string `json:"reason"`
+	MatchedExtension string `json:"matched_extension"`
+}
+
+type SafetyService struct{}
+
+func NewSafetyService() *SafetyService {
+	return &SafetyService{}
+}
+
+func (s *SafetyService) Check(title string, downloadURL string) *SafetyBlockResult {
+	// Check extension from release title
+	ext := strings.ToLower(filepath.Ext(title))
+	if dangerousExtensions[ext] {
+		return &SafetyBlockResult{
+			Blocked:          true,
+			Reason:           "Release contains dangerous file extension: " + ext,
+			MatchedExtension: ext,
+		}
+	}
+
+	// Check extension from download URL
+	if downloadURL != "" {
+		u, err := url.Parse(downloadURL)
+		if err == nil {
+			urlExt := strings.ToLower(filepath.Ext(u.Path))
+			if dangerousExtensions[urlExt] {
+				return &SafetyBlockResult{
+					Blocked:          true,
+					Reason:           "Download URL contains dangerous file extension: " + urlExt,
+					MatchedExtension: urlExt,
+				}
+			}
+		}
+	}
+
+	return nil
+}