From 26f45a11aee79508623117eeb0dc9e4c0ed97c5d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber@stgraber.org>
Date: Sat, 17 Jan 2026 08:35:27 -0500
Subject: [PATCH] shared/validate: Don't allow $ in API names
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Since some of those names may be passed to a shell either on the client
or server side, let's avoid getting into potential variable expansions.

Signed-off-by: Stéphane Graber <stgraber@stgraber.org>
Reported-by:  Rory McNamara <rory.mcnamara@snyk.io>
---
 shared/validate/validate.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/shared/validate/validate.go b/shared/validate/validate.go
index dc2369963..bc35fda04 100644
--- a/shared/validate/validate.go
+++ b/shared/validate/validate.go
@@ -574,7 +574,7 @@ func IsAPIName(value string, allowSlashes bool) error {
 	}
 
 	// Check for special URL characters.
-	reservedChars := []string{"?", "&", "+", "\"", "'", "`", "*"}
+	reservedChars := []string{"$", "?", "&", "+", "\"", "'", "`", "*"}
 	if !allowSlashes {
 		reservedChars = append(reservedChars, "/")
 	}