fix(security): address review comments on PR #4895

- Use "/" instead of filepath.Separator for HTTP URL path stripping (fixes Windows)
- Add missing changelog entry for command injection fix
- Remove stale line number reference in comment

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

v3/UNRELEASED_CHANGELOG.md

@@ -43,6 +43,7 @@ After processing, the content will be moved to the main changelog and this file
 <!-- Security-related changes -->
 - Restrict GITHUB_TOKEN permissions in workflow files to follow principle of least privilege
 - Fix path traversal vulnerability in screen example asset middleware
+- Fix command injection vulnerability in setup wizard dependency installation endpoint
 - Update rollup to 3.29.5 to fix XSS vulnerability (CVE-2024-47068)
 
 ---

v3/examples/screen/main.go

@@ -57,8 +57,8 @@ func main() {
 
 					// Clean the requested URL path and make it relative, to prevent directory traversal
 					cleanPath := filepath.Clean(r.URL.Path)
-					// Treat the request path as relative by stripping any leading slash.
-					relativePath := strings.TrimPrefix(cleanPath, string(filepath.Separator))
+					// Treat the request path as relative by stripping any leading forward slash (HTTP paths always use "/").
+					relativePath := strings.TrimPrefix(cleanPath, "/")
 
 					// Resolve the requested path against the absolute assets directory.
 					resolvedPath, err := filepath.Abs(filepath.Join(assetsDirAbs, relativePath))
@@ -76,7 +76,7 @@ func main() {
 						return
 					}
 
-					// Path is validated to be within assetsDirAbs above (lines 71-77).
+					// Path is validated to be within assetsDirAbs above.
 					if _, err := os.Stat(resolvedPath); err == nil { // #nosec G304 // lgtm[go/path-injection] -- path validated above
 						// Serve file from disk to make testing easy
 						http.ServeFile(w, r, resolvedPath) // #nosec G304 // lgtm[go/path-injection] -- path validated above