shared/validate: Don't allow $ in API names

Since some of those names may be passed to a shell either on the client
or server side, let's avoid getting into potential variable expansions.

Signed-off-by: Stéphane Graber <stgraber@stgraber.org>
Reported-by:  Rory McNamara <rory.mcnamara@snyk.io>

shared/validate/validate.go

@@ -574,7 +574,7 @@ func IsAPIName(value string, allowSlashes bool) error {
 	}
 
 	// Check for special URL characters.
-	reservedChars := []string{"?", "&", "+", "\"", "'", "`", "*"}
+	reservedChars := []string{"$", "?", "&", "+", "\"", "'", "`", "*"}
 	if !allowSlashes {
 		reservedChars = append(reservedChars, "/")
 	}