Sanitize Android artifact filenames

[ayskobtw-lil]

Summary

• sanitize mobile-android package/version values before using them in local .aab artifact filenames
• keep artifact output joined under ctx.outDir
• add a regression test for package names containing path separators

Fixes #550.

Verification

npx --yes pnpm@9.12.0 exec vitest run packages/targets/mobile-android/src/index.test.ts packages/targets/pkg-flatpak/src/index.test.ts packages/targets/pkg-snap/src/index.test.ts packages/targets/pkg-winget/src/index.test.ts
# 4 files / 26 tests passed

npx --yes pnpm@9.12.0 --filter @profullstack/sh1pt-target-mobile-android --filter @profullstack/sh1pt-target-pkg-flatpak --filter @profullstack/sh1pt-target-pkg-snap --filter @profullstack/sh1pt-target-pkg-winget typecheck
# passed

[greptile-apps]

Greptile Summary

This PR sanitizes user-supplied packageName and version values before they are interpolated into local .aab artifact filenames in the mobile-android target, preventing path-traversal attacks (e.g., ../com.example.app). It also removes duplicate validator function definitions from the pkg-flatpak, pkg-snap, and pkg-winget targets and tightens their validation rules.

• mobile-android: New safeFileStem function strips path-separator characters and constrains the result to safe filename characters, with a regression test verifying the artifact stays inside outDir.
• pkg-flatpak / pkg-snap / pkg-winget: Duplicate validation functions removed; pkg-flatpak segment regex tightened to require letter-leading segments; pkg-snap gains a consecutive-hyphen rejection; all three get new tests covering updated validation paths.

Confidence Score: 4/5

Safe to merge; the core path-traversal fix is correct and well-tested, and all four targets pass their expanded test suites.

The safeFileStem function omits underscore from its preserved-character set, so a valid Android package name like com.example.my_app silently becomes com.example.my-app in the artifact filename. Two distinct package names could map to the same filename once Gradle actually writes the .aab. The rest of the changes are straightforward and low-risk.

packages/targets/mobile-android/src/index.ts — the safeFileStem character set warrants a second look regarding underscore handling.

Important Files Changed

Filename	Overview
packages/targets/mobile-android/src/index.ts	Adds safeFileStem to sanitize package/version values in the .aab artifact path; fixes path-traversal but underscore is not preserved, causing silent normalization of valid package names.
packages/targets/mobile-android/src/index.test.ts	Adds a regression test for package names with path separators; correctly verifies the artifact stays inside outDir and cleans up temp dirs via afterEach.
packages/targets/pkg-flatpak/src/index.ts	Removes duplicate validateAppId, tightens segment regex to require letter-leading segments, and adds explicit path-traversal guard.
packages/targets/pkg-snap/src/index.ts	Adds consecutive-hyphen check, calls validation at the top of renderSnapcraftYaml, and removes the old duplicate function definition.
packages/targets/pkg-winget/src/index.ts	Removes old validatePackageId in favour of a more complete version; path-traversal protection is now provided implicitly by per-segment regex.
packages/targets/pkg-flatpak/src/index.test.ts	Adds tests for the tightened segment regex and path-separator rejection in both build and ship paths.
packages/targets/pkg-snap/src/index.test.ts	Adds tests for the consecutive-hyphen rule and verifies validation fires before filesystem writes.
packages/targets/pkg-winget/src/index.test.ts	Adds tests for the packageId validator covering missing dot, leading dot, consecutive dots, and path-separator inputs.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[User-supplied config] --> B{Target}
    B --> AND[mobile-android build]
    B --> FLAT[pkg-flatpak build/ship]
    B --> SNAP[pkg-snap build/ship]
    B --> WIN[pkg-winget build/ship]
    AND --> SF[safeFileStem strips path separators and unsafe chars]
    SF --> ART[join outDir with sanitized stem produces safe artifact path]
    FLAT --> VA[validateAppId checks path chars, segment count, letter-leading regex]
    VA -->|valid| FM[Write .yml manifest]
    VA -->|invalid| ERR1[throw Error]
    SNAP --> VS[validateSnapName checks length, hyphens, consecutive hyphens, charset]
    VS -->|valid| SM[Write snapcraft.yaml]
    VS -->|invalid| ERR2[throw Error]
    WIN --> VP[validatePackageId checks leading/trailing dots, segment count, charset]
    VP -->|valid| WM[Write winget manifests]
    VP -->|invalid| ERR3[throw Error]

Loading

_{Reviews (1): Last reviewed commit: "Sanitize Android artifact filenames" | Re-trigger Greptile}

[greptile-apps]

Underscore (_) is a valid character in Android package names (e.g., com.example.my_app) but is not in the preserved set, so it gets silently replaced with -. Two distinct package names — com.example.my_app and com.example.my-app — would produce identical filenames and could overwrite each other once Gradle actually writes the .aab.

Suggested change

	function safeFileStem(value: string): string {
	return value
	.replace(/[^a-zA-Z0-9._-]+/g, '-')
	function safeFileStem(value: string): string {
	return value
	.replace(/[^a-zA-Z0-9._\-_]+/g, '-')