exTerEX · exTerEX · May 6, 2026 · Apr 1, 2026 · May 6, 2026 · May 6, 2026
diff --git a/.github/workflows/CI.yml b/.github/workflows/CI.yml
@@ -2,7 +2,7 @@ name: Continuous integration
 
 on:
   push:
-    branches: 
+    branches:
       - main
       - develop
     paths:
@@ -20,24 +20,32 @@ on:
       - 'go.sum'
       - '.github/workflows/CI.yml'
 
+permissions:
+  contents: read
+
 jobs:
   test:
     runs-on: ubuntu-latest
-    strategy:
-      fail-fast: false
-      matrix:
-        go-version: ['1.22']
+    permissions:
+      contents: read
 
     steps:
     - uses: actions/checkout@v6
 
+    - name: Cache apt packages
+      uses: actions/cache@v4
+      with:
+        path: /var/cache/apt/archives
+        key: apt-ffmpeg-${{ runner.os }}
+
     - name: Install ffmpeg
-      run: sudo apt-get update && sudo apt-get install -y ffmpeg
+      run: sudo apt-get update -q && sudo apt-get install -y -q --no-install-recommends ffmpeg
 
     - name: Set up Go
       uses: actions/setup-go@v6
       with:
-        go-version: ${{ matrix.go-version }}
+        go-version-file: go.mod
+        cache: true
 
     - name: Download dependencies
       run: go mod download
@@ -47,17 +55,26 @@ jobs:
 
   coverage:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     steps:
     - uses: actions/checkout@v6
 
+    - name: Cache apt packages
+      uses: actions/cache@v4
+      with:
+        path: /var/cache/apt/archives
+        key: apt-ffmpeg-${{ runner.os }}
+
     - name: Install ffmpeg
-      run: sudo apt-get update && sudo apt-get install -y ffmpeg
+      run: sudo apt-get update -q && sudo apt-get install -y -q --no-install-recommends ffmpeg
 
     - name: Set up Go
       uses: actions/setup-go@v6
       with:
-        go-version: '1.22'
+        go-version-file: go.mod
+        cache: true
 
     - name: Download dependencies
       run: go mod download
@@ -80,16 +97,19 @@ jobs:
 
   lint:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@v6
 
       - name: Set up Go
         uses: actions/setup-go@v6
         with:
-          go-version: '1.22'
+          go-version-file: go.mod
+          cache: true
 
       - name: Run go vet
         run: go vet ./...
 
       - name: Build
-        run: go build ./...
+        run: go build ./...
diff --git a/internal/converter/converter.go b/internal/converter/converter.go
@@ -63,11 +63,12 @@ func probeVideoBitrate(source, ffmpegBin string) int64 {
 	if _, err := exec.LookPath(probeBin); err != nil {
 		return 0
 	}
+	src := pathForBin(probeBin, source)
 	out, err := exec.Command(probeBin,
 		"-v", "quiet",
 		"-show_entries", "format=bit_rate",
 		"-of", "default=noprint_wrappers=1",
-		source).Output()
+		src).Output()
 	if err != nil {
 		return 0
 	}
@@ -124,9 +125,67 @@ func getVideoEncoder(codec string) (string, error) {
 	return "", fmt.Errorf("unknown codec: %s", codec)
 }
 
+func validateImageTargetExt(targetExt string) (string, error) {
+	if targetExt == "" {
+		return "", fmt.Errorf("invalid target extension")
+	}
+	if strings.Contains(targetExt, "\x00") || strings.ContainsAny(targetExt, `/\`) || strings.Contains(targetExt, "..") {
+		return "", fmt.Errorf("invalid target extension")
+	}
+	for _, r := range targetExt {
+		if r < 0x20 || r == 0x7f {
+			return "", fmt.Errorf("invalid target extension")
+		}
+	}
+
+	ext := shared.NormaliseExt(normaliseTargetExt(targetExt))
+	switch ext {
+	case ".jpg", ".jpeg", ".png", ".gif", ".bmp", ".tif", ".tiff", ".webp", ".avif":
+		return ext, nil
+	default:
+		return "", fmt.Errorf("unsupported target extension: %s", targetExt)
+	}
+}
+
+func validateVideoTargetExt(targetExt string) (string, error) {
+	if targetExt == "" {
+		return "", fmt.Errorf("invalid target extension")
+	}
+	if strings.Contains(targetExt, "\x00") || strings.ContainsAny(targetExt, `/\`) || strings.Contains(targetExt, "..") {
+		return "", fmt.Errorf("invalid target extension")
+	}
+	for _, r := range targetExt {
+		if r < 0x20 || r == 0x7f {
+			return "", fmt.Errorf("invalid target extension")
+		}
+	}
+
+	ext := shared.NormaliseExt(normaliseTargetExt(targetExt))
+	if _, ok := canonicalVideo[ext]; ok {
+		return ext, nil
+	}
+	return "", fmt.Errorf("unsupported target extension: %s", targetExt)
+}
+
+// IsValidTargetExt reports whether ext is a recognised image or video output extension.
+func IsValidTargetExt(ext string) bool {
+	_, imgErr := validateImageTargetExt(ext)
+	if imgErr == nil {
+		return true
+	}
+	_, vidErr := validateVideoTargetExt(ext)
+	return vidErr == nil
+}
+
 // ConvertImage converts an image file using the imaging library.
 func ConvertImage(source, targetExt, outputDir string) (string, error) {
-	ext := shared.NormaliseExt(normaliseTargetExt(targetExt))
+	if !filepath.IsAbs(source) || strings.Contains(source, "\x00") {
+		return "", fmt.Errorf("invalid source path")
+	}
+	ext, err := validateImageTargetExt(targetExt)
+	if err != nil {
+		return "", err
+	}
 
 	stem := strings.TrimSuffix(filepath.Base(source), filepath.Ext(source))
 	var dest string
@@ -215,13 +274,19 @@ func convertImageByFFmpeg(source, dest, ext string) (string, error) {
 // ConvertVideo converts a video file using ffmpeg.
 // codec is one of: h264, h265, av1, vp8, vp9. Defaults to h264 when empty.
 func ConvertVideo(source, targetExt, codec, outputDir string, av1CRF int) (string, error) {
+	if !filepath.IsAbs(source) || strings.Contains(source, "\x00") {
+		return "", fmt.Errorf("invalid source path")
+	}
 	candidates := ffmpegCandidates()
 	if len(candidates) == 0 {
 		return "", fmt.Errorf("ffmpeg is not installed or not on PATH")
 	}
 	bin := candidates[0]
 
-	ext := normaliseTargetExt(targetExt)
+	ext, err := validateVideoTargetExt(targetExt)
+	if err != nil {
+		return "", err
+	}
 
 	stem := strings.TrimSuffix(filepath.Base(source), filepath.Ext(source))
 	var dest string
@@ -247,7 +312,7 @@ func ConvertVideo(source, targetExt, codec, outputDir string, av1CRF int) (strin
 		return "", err
 	}
 
-	cmd := []string{bin, "-y", "-i", source, "-c:v", encoder, "-c:a", "aac"}
+	cmd := []string{bin, "-y", "-i", pathForBin(bin, source), "-c:v", encoder, "-c:a", "aac"}
 
 	isAV1 := encoder == "libsvtav1" || encoder == "libaom-av1"
 	if isAV1 {
@@ -289,7 +354,7 @@ func ConvertVideo(source, targetExt, codec, outputDir string, av1CRF int) (strin
 		}
 	}
 
-	cmd = append(cmd, dest)
+	cmd = append(cmd, pathForBin(bin, dest))
 
 	out, err2 := exec.Command(cmd[0], cmd[1:]...).CombinedOutput()
 	if err2 != nil {

diff --git a/internal/converter/converter_test.go b/internal/converter/converter_test.go
@@ -198,3 +198,33 @@ func TestVideoConversions_nonEmpty(t *testing.T) {
 		t.Error("VideoConversions is empty")
 	}
 }
+
+// ── Input validation ─────────────────────────────────────────────────────────
+
+func TestConvertImage_relativePath(t *testing.T) {
+	_, err := converter.ConvertImage("relative/path/image.jpg", ".png", "")
+	if err == nil {
+		t.Error("expected error for relative source path, got nil")
+	}
+}
+
+func TestConvertImage_nullBytePath(t *testing.T) {
+	_, err := converter.ConvertImage("/valid/path/image\x00.jpg", ".png", "")
+	if err == nil {
+		t.Error("expected error for source path containing NUL byte, got nil")
+	}
+}
+
+func TestConvertVideo_relativePath(t *testing.T) {
+	_, err := converter.ConvertVideo("relative/path/video.mp4", ".mkv", "", "", 0)
+	if err == nil {
+		t.Error("expected error for relative source path, got nil")
+	}
+}
+
+func TestConvertVideo_nullBytePath(t *testing.T) {
+	_, err := converter.ConvertVideo("/valid/path/video\x00.mp4", ".mkv", "", "", 0)
+	if err == nil {
+		t.Error("expected error for source path containing NUL byte, got nil")
+	}
+}