From 8c9e0b51579169dc84c854bf1a08db5a543e1bf4 Mon Sep 17 00:00:00 2001
From: Lea Anthony <lea.anthony@gmail.com>
Date: Fri, 6 Feb 2026 19:52:53 +1100
Subject: [PATCH] fix(security): address review comments on PR #4895

- Use "/" instead of filepath.Separator for HTTP URL path stripping (fixes Windows)
- Add missing changelog entry for command injection fix
- Remove stale line number reference in comment

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 v3/UNRELEASED_CHANGELOG.md | 1 +
 v3/examples/screen/main.go | 6 +++---
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/v3/UNRELEASED_CHANGELOG.md b/v3/UNRELEASED_CHANGELOG.md
index c6b7006b3..b75d8fe4c 100644
--- a/v3/UNRELEASED_CHANGELOG.md
+++ b/v3/UNRELEASED_CHANGELOG.md
@@ -43,6 +43,7 @@ After processing, the content will be moved to the main changelog and this file
 <!-- Security-related changes -->
 - Restrict GITHUB_TOKEN permissions in workflow files to follow principle of least privilege
 - Fix path traversal vulnerability in screen example asset middleware
+- Fix command injection vulnerability in setup wizard dependency installation endpoint
 - Update rollup to 3.29.5 to fix XSS vulnerability (CVE-2024-47068)
 
 ---
diff --git a/v3/examples/screen/main.go b/v3/examples/screen/main.go
index 3f4981d5b..1a18785da 100644
--- a/v3/examples/screen/main.go
+++ b/v3/examples/screen/main.go
@@ -57,8 +57,8 @@ func main() {
 
 					// Clean the requested URL path and make it relative, to prevent directory traversal
 					cleanPath := filepath.Clean(r.URL.Path)
-					// Treat the request path as relative by stripping any leading slash.
-					relativePath := strings.TrimPrefix(cleanPath, string(filepath.Separator))
+					// Treat the request path as relative by stripping any leading forward slash (HTTP paths always use "/").
+					relativePath := strings.TrimPrefix(cleanPath, "/")
 
 					// Resolve the requested path against the absolute assets directory.
 					resolvedPath, err := filepath.Abs(filepath.Join(assetsDirAbs, relativePath))
@@ -76,7 +76,7 @@ func main() {
 						return
 					}
 
-					// Path is validated to be within assetsDirAbs above (lines 71-77).
+					// Path is validated to be within assetsDirAbs above.
 					if _, err := os.Stat(resolvedPath); err == nil { // #nosec G304 // lgtm[go/path-injection] -- path validated above
 						// Serve file from disk to make testing easy
 						http.ServeFile(w, r, resolvedPath) // #nosec G304 // lgtm[go/path-injection] -- path validated above