From 5436c28a1f94a4b7f952761af94591a4256cb972 Mon Sep 17 00:00:00 2001
From: LordMathis <matus@namesny.com>
Date: Thu, 9 Oct 2025 22:10:40 +0200
Subject: [PATCH] Add instance name validation before deletion for security

---
 pkg/manager/operations.go | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/pkg/manager/operations.go b/pkg/manager/operations.go
index 938e542..0d38a73 100644
--- a/pkg/manager/operations.go
+++ b/pkg/manager/operations.go
@@ -287,6 +287,10 @@ func (im *instanceManager) DeleteInstance(name string) error {
 		delete(im.instanceNodeMap, name)
 
 		// Delete the instance's config file if persistence is enabled
+		// Re-validate instance name for security (defense in depth)
+		if _, err := validation.ValidateInstanceName(name); err != nil {
+			return fmt.Errorf("invalid instance name for file deletion: %w", err)
+		}
 		instancePath := filepath.Join(im.instancesConfig.InstancesDir, name+".json")
 		if err := os.Remove(instancePath); err != nil && !os.IsNotExist(err) {
 			return fmt.Errorf("failed to delete config file for remote instance %s: %w", name, err)
@@ -306,6 +310,10 @@ func (im *instanceManager) DeleteInstance(name string) error {
 	delete(im.instances, name)
 
 	// Delete the instance's config file if persistence is enabled
+	// Re-validate instance name for security (defense in depth)
+	if _, err := validation.ValidateInstanceName(inst.Name); err != nil {
+		return fmt.Errorf("invalid instance name for file deletion: %w", err)
+	}
 	instancePath := filepath.Join(im.instancesConfig.InstancesDir, inst.Name+".json")
 	if err := os.Remove(instancePath); err != nil && !os.IsNotExist(err) {
 		return fmt.Errorf("failed to delete config file for instance %s: %w", inst.Name, err)