Fix 29 audit findings across all severity tiers

2026-02-27 22:08:53 +02:00
parent ce11431cdf
commit 804ba35a70
25 changed files with 475 additions and 250 deletions
--- a/src/core/fuse.rs
+++ b/src/core/fuse.rs
@@ -186,9 +186,20 @@ fn has_static_runtime(appimage_path: &Path) -> bool {
        Err(_) => return false,
    };
    let data = &buf[..n];
-    let haystack = String::from_utf8_lossy(data).to_lowercase();
-    haystack.contains("type2-runtime")
-        || haystack.contains("libfuse3")
+    // Search raw bytes directly - avoids allocating a UTF-8 string from binary data.
+    // Case-insensitive matching for the two known signatures.
+    bytes_contains_ci(data, b"type2-runtime")
+        || bytes_contains_ci(data, b"libfuse3")
+}
+
+/// Case-insensitive byte-level substring search (ASCII only).
+fn bytes_contains_ci(haystack: &[u8], needle: &[u8]) -> bool {
+    if needle.is_empty() || haystack.len() < needle.len() {
+        return false;
+    }
+    haystack.windows(needle.len()).any(|window| {
+        window.iter().zip(needle).all(|(h, n)| h.to_ascii_lowercase() == n.to_ascii_lowercase())
+    })
 }

 /// Check if --appimage-extract-and-run is supported.