fix(security): add path traversal validation to all installer scripts

- Validate tool name argument rejects "/" and ".." in install_tool.sh
  (entry point) and all 10 installer scripts (defense in depth)
- Extract print_installed_status() helper in guide.sh to reduce
  duplicated installed/not-installed display logic

Author: CybotTM

scripts/guide.sh

@@ -165,6 +165,17 @@ osc8() {
   [ -n "$url" ] && printf '\e]8;;%s\e\\%s\e]8;;\e\\' "$url" "$text" || printf '%s' "$text"
 }
 
+# Print installed status line (reusable for auto-update and interactive prompts)
+print_installed_status() {
+  local installed="$1"
+  local method="$2"
+  if [ -z "$installed" ]; then
+    printf "    installed: not installed\n"
+  else
+    printf "    installed: %s via %s\n" "$installed" "${method:-unknown}"
+  fi
+}
+
 # Check for multiple installations and print warning if found
 # Args: catalog_tool_name
 # Returns: 0 always (informational only)
@@ -291,11 +302,7 @@ process_tool() {
   # BUT: multi-version tools always prompt (more significant operation)
   if [ "$auto_update" = "true" ] && [ -z "$is_multi_version" ]; then
     printf "\n==> %s %s [auto-update]\n" "$icon" "$display"
-    if [ -z "$installed" ]; then
-      printf "    installed: not installed\n"
-    else
-      printf "    installed: %s via %s\n" "$installed" "${method:-unknown}"
-    fi
+    print_installed_status "$installed" "$method"
     # Show target; for self-managed tools (skip_upstream) show "self-managed" instead of <unknown>
     local target_display="${latest:-<unknown>}"
     local skip_upstream="$(catalog_get_property "$catalog_tool" skip_upstream)"
@@ -349,11 +356,7 @@ process_tool() {
   printf "\n==> %s %s\n" "$icon" "$display"
   [ -n "$description" ] && printf "    %s\n" "$description"
   [ -n "$homepage" ] && printf "    Homepage: %s\n" "$(osc8 "$homepage" "$homepage")"
-  if [ -z "$installed" ]; then
-    printf "    installed: not installed\n"
-  else
-    printf "    installed: %s via %s\n" "$installed" "${method:-unknown}"
-  fi
+  print_installed_status "$installed" "$method"
 
   check_multi_installs "$catalog_tool"
 

scripts/install_tool.sh

@@ -17,6 +17,12 @@ if [ -z "$TOOL" ]; then
   exit 1
 fi
 
+# Validate tool name to prevent path traversal
+if [[ "$TOOL" == *"/"* ]] || [[ "$TOOL" == *".."* ]]; then
+  echo "[$TOOL] Error: Invalid tool name" >&2
+  exit 1
+fi
+
 CATALOG_FILE="$DIR/../catalog/$TOOL.json"
 
 # Check if tool has catalog entry

scripts/installers/dedicated_script.sh

@@ -11,6 +11,12 @@ if [ -z "$TOOL" ]; then
   exit 1
 fi
 
+# Validate tool name to prevent path traversal
+if [[ "$TOOL" == *"/"* ]] || [[ "$TOOL" == *".."* ]]; then
+  echo "Error: Invalid tool name: $TOOL" >&2
+  exit 1
+fi
+
 CATALOG_FILE="$DIR/../catalog/$TOOL.json"
 if [ ! -f "$CATALOG_FILE" ]; then
   echo "Error: Catalog file not found: $CATALOG_FILE" >&2

scripts/installers/docker_plugin.sh

@@ -13,6 +13,12 @@ if [ -z "$TOOL" ]; then
   exit 1
 fi
 
+# Validate tool name to prevent path traversal
+if [[ "$TOOL" == *"/"* ]] || [[ "$TOOL" == *".."* ]]; then
+  echo "Error: Invalid tool name: $TOOL" >&2
+  exit 1
+fi
+
 CATALOG_FILE="$DIR/../catalog/$TOOL.json"
 if [ ! -f "$CATALOG_FILE" ]; then
   echo "Error: Catalog file not found: $CATALOG_FILE" >&2

scripts/installers/gcloud_installer.sh

@@ -7,6 +7,13 @@ DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
 . "$DIR/lib/install_strategy.sh"
 
 TOOL="${1:-gcloud}"
+
+# Validate tool name to prevent path traversal
+if [[ "$TOOL" == *"/"* ]] || [[ "$TOOL" == *".."* ]]; then
+  echo "Error: Invalid tool name: $TOOL" >&2
+  exit 1
+fi
+
 CATALOG_FILE="$DIR/../catalog/$TOOL.json"
 
 if [ ! -f "$CATALOG_FILE" ]; then

scripts/installers/github_clone.sh

@@ -11,6 +11,12 @@ if [ -z "$TOOL" ]; then
   exit 1
 fi
 
+# Validate tool name to prevent path traversal
+if [[ "$TOOL" == *"/"* ]] || [[ "$TOOL" == *".."* ]]; then
+  echo "Error: Invalid tool name: $TOOL" >&2
+  exit 1
+fi
+
 ACTION="${2:-install}"
 
 CATALOG_FILE="$DIR/../catalog/$TOOL.json"

scripts/installers/github_release_binary.sh

@@ -20,6 +20,12 @@ if [ -z "$TOOL" ]; then
   exit 1
 fi
 
+# Validate tool name to prevent path traversal
+if [[ "$TOOL" == *"/"* ]] || [[ "$TOOL" == *".."* ]]; then
+  echo "Error: Invalid tool name: $TOOL" >&2
+  exit 1
+fi
+
 CATALOG_FILE="$DIR/../catalog/$TOOL.json"
 if [ ! -f "$CATALOG_FILE" ]; then
   echo "Error: Catalog file not found: $CATALOG_FILE" >&2

scripts/installers/go_install.sh

@@ -12,6 +12,12 @@ if [ -z "$TOOL" ]; then
   exit 1
 fi
 
+# Validate tool name to prevent path traversal
+if [[ "$TOOL" == *"/"* ]] || [[ "$TOOL" == *".."* ]]; then
+  echo "Error: Invalid tool name: $TOOL" >&2
+  exit 1
+fi
+
 CATALOG_FILE="$DIR/../catalog/$TOOL.json"
 if [ ! -f "$CATALOG_FILE" ]; then
   echo "Error: Catalog file not found: $CATALOG_FILE" >&2

scripts/installers/hashicorp_zip.sh

@@ -12,6 +12,12 @@ if [ -z "$TOOL" ]; then
   exit 1
 fi
 
+# Validate tool name to prevent path traversal
+if [[ "$TOOL" == *"/"* ]] || [[ "$TOOL" == *".."* ]]; then
+  echo "Error: Invalid tool name: $TOOL" >&2
+  exit 1
+fi
+
 CATALOG_FILE="$DIR/../catalog/$TOOL.json"
 if [ ! -f "$CATALOG_FILE" ]; then
   echo "Error: Catalog file not found: $CATALOG_FILE" >&2

scripts/installers/npm_global.sh

@@ -18,6 +18,12 @@ if [ -z "$TOOL" ]; then
   exit 1
 fi
 
+# Validate tool name to prevent path traversal
+if [[ "$TOOL" == *"/"* ]] || [[ "$TOOL" == *".."* ]]; then
+  echo "Error: Invalid tool name: $TOOL" >&2
+  exit 1
+fi
+
 CATALOG_FILE="$DIR/../catalog/$TOOL.json"
 if [ ! -f "$CATALOG_FILE" ]; then
   echo "Error: Catalog file not found: $CATALOG_FILE" >&2