fix(api): allow template-like patterns in markdown content fields

Remove template injection validation from markdown content fields (Note,
TriageNote). These are free-text fields that legitimately contain ${...},
{{...}}, and similar patterns (e.g., Terraform variable references, shell
variables). TMI does not evaluate templates in stored content, so SSTI
checks were producing false positives that blocked tmi-tf import.

Non-markdown fields (names, titles, metadata) retain template injection
checks via CheckHTMLInjection.

Fixes #223

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: ericfitz

.version

@@ -1,6 +1,6 @@
 {
   "major": 1,
   "minor": 3,
-  "patch": 3,
+  "patch": 4,
   "prerelease": ""
 }

api/markdown_sanitizer.go

@@ -3,7 +3,6 @@ package api
 import (
 	"html"
 	"regexp"
-	"strings"
 
 	"github.com/microcosm-cc/bluemonday"
 )
@@ -95,12 +94,6 @@ func SanitizeMarkdownContent(content string) string {
 	return markdownPolicy.Sanitize(content)
 }
 
-// codeBlockRegex matches fenced code blocks (```...```)
-var codeBlockRegex = regexp.MustCompile("(?s)```[^`]*```")
-
-// inlineCodeRegex matches inline code (`...`)
-var inlineCodeRegex = regexp.MustCompile("`[^`]+`")
-
 // SanitizePlainText strips ALL HTML tags from a string, leaving only text content.
 // Use this for plain-text fields (e.g., metadata values) that should never contain HTML.
 // Unlike SanitizeMarkdownContent, this does not preserve any HTML elements.
@@ -211,23 +204,3 @@ func SanitizePatchOperations(operations []PatchOperation, paths []string) {
 		}
 	}
 }
-
-// validateTemplateInjectionInMarkdown checks for server-side template injection
-// patterns in markdown content. Code blocks are stripped first to avoid false
-// positives from code examples. This covers patterns that bluemonday does not
-// handle (template expressions are not HTML).
-func validateTemplateInjectionInMarkdown(content string) error {
-	// Remove code blocks to avoid false positives
-	contentWithoutCodeBlocks := codeBlockRegex.ReplaceAllString(content, "")
-	contentWithoutCode := inlineCodeRegex.ReplaceAllString(contentWithoutCodeBlocks, "")
-
-	// Check template injection patterns (reuses patterns from html_injection_checker.go)
-	for _, tp := range templateInjectionPatterns {
-		if strings.Contains(contentWithoutCode, tp.pattern) {
-			return InvalidInputError(
-				"Field 'content' contains potentially unsafe " + tp.desc +
-					" pattern (" + tp.pattern + ")")
-		}
-	}
-	return nil
-}

api/markdown_sanitizer_test.go

@@ -422,95 +422,32 @@ func TestSanitizePatchOperations(t *testing.T) {
 	})
 }
 
-func TestValidateTemplateInjectionInMarkdown(t *testing.T) {
+func TestValidateMarkdownContent_AllowsTemplatePatterns(t *testing.T) {
+	// ValidateMarkdownContent no longer rejects template-like patterns in markdown
+	// content fields. These fields store free-text data that may legitimately
+	// contain such syntax (Terraform refs, shell variables, code examples).
 	tests := []struct {
-		name        string
-		content     string
-		expectError bool
-		description string
+		name    string
+		content string
 	}{
-		{
-			name:        "Clean content",
-			content:     "Hello world, this is markdown",
-			expectError: false,
-			description: "Plain text should pass",
-		},
-		{
-			name:        "Handlebars template expression",
-			content:     "Hello {{ user }} world",
-			expectError: true,
-			description: "Template expressions should be rejected",
-		},
-		{
-			name:        "Closing template expression",
-			content:     "Hello result }} here",
-			expectError: true,
-			description: "Closing template expressions should be rejected",
-		},
-		{
-			name:        "JavaScript template literal",
-			content:     "Hello ${ name } world",
-			expectError: true,
-			description: "Template interpolation should be rejected",
-		},
-		{
-			name:        "GitHub Actions context",
-			content:     "Token: ${{ github.token }}",
-			expectError: true,
-			description: "GitHub Actions expressions should be rejected",
-		},
-		{
-			name:        "JSP/ASP template tag",
-			content:     "Hello <% code %> world",
-			expectError: true,
-			description: "Server template tags should be rejected",
-		},
-		{
-			name:        "Spring EL expression",
-			content:     "Hello #{ expr } world",
-			expectError: true,
-			description: "Expression language should be rejected",
-		},
-		{
-			name:        "Template expression in fenced code block",
-			content:     "```\n{{ user }}\n```",
-			expectError: false,
-			description: "Template expressions in code blocks should be allowed",
-		},
-		{
-			name:        "Template expression in inline code",
-			content:     "Use `{{ template }}` syntax",
-			expectError: false,
-			description: "Template expressions in inline code should be allowed",
-		},
-		{
-			name:        "Template expression in code block with language",
-			content:     "```go\nfmt.Println(\"{{ .Name }}\")\n```",
-			expectError: false,
-			description: "Template expressions in language-tagged code blocks should be allowed",
-		},
-		{
-			name:        "Mixed: template in code block and clean content",
-			content:     "# Title\n\n```\n{{ user }}\n```\n\nSafe content here",
-			expectError: false,
-			description: "Template in code block with clean surrounding content should pass",
-		},
-		{
-			name:        "Empty content",
-			content:     "",
-			expectError: false,
-			description: "Empty content should pass",
-		},
+		{"Plain text", "Hello world, this is markdown"},
+		{"Empty content", ""},
+		{"Handlebars template expression", "Hello {{ user }} world"},
+		{"JavaScript template literal", "Hello ${ name } world"},
+		{"GitHub Actions context", "Token: ${{ github.token }}"},
+		{"JSP/ASP template tag", "Hello <% code %> world"},
+		{"Spring EL expression", "Hello #{ expr } world"},
+		{"Terraform variable interpolation", "| OKE Cluster | `${var.name_prefix}-oke` |"},
+		{"Terraform module reference", "cluster_id = '${module.kubernetes.cluster_id}'"},
+		{"Shell variable", "echo ${HOME}/bin"},
+		{"Template in code block", "```\n{{ user }}\n```"},
+		{"Template in inline code", "Use `{{ template }}` syntax"},
 	}
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			err := validateTemplateInjectionInMarkdown(tt.content)
-			if tt.expectError {
-				assert.Error(t, err, tt.description)
-			} else {
-				assert.NoError(t, err, tt.description)
-			}
+			err := ValidateMarkdownContent(tt.content)
+			assert.NoError(t, err, "Markdown content should accept all template-like patterns")
 		})
 	}
 }

api/validation_registry.go

@@ -177,11 +177,12 @@ func ValidateNoHTMLInjection(data any) error {
 
 // ValidateMarkdownContent validates a markdown content string.
 // HTML tags are allowed and will be sanitized by bluemonday in the handler layer
-// before storage. This function checks only for server-side template injection
-// patterns ({{, ${, <%, etc.) which bluemonday does not handle.
-// This is the shared validation core used by both Note and TriageNote validators.
-func ValidateMarkdownContent(content string) error {
-	return validateTemplateInjectionInMarkdown(content)
+// before storage. Template-like patterns (${, {{, <%, etc.) are permitted in
+// markdown content because these fields store free-text data that may legitimately
+// contain such syntax (e.g., Terraform references, shell variables, code examples).
+// TMI does not evaluate templates in stored content, so SSTI is not a concern here.
+func ValidateMarkdownContent(_ string) error {
+	return nil
 }
 
 // ValidateNoteMarkdown validates Note.Content field for dangerous HTML.

api/validation_test.go

@@ -400,25 +400,21 @@ func TestValidateNoteMarkdown(t *testing.T) {
 	tests := []struct {
 		name        string
 		content     string
-		expectError bool
 		description string
 	}{
 		{
 			name:        "Valid Markdown with headings",
 			content:     "# Heading 1\n## Heading 2\n### Heading 3",
-			expectError: false,
 			description: "Standard Markdown headings should be allowed",
 		},
 		{
 			name:        "Valid Markdown with code block containing JSON",
 			content:     "```json\n{\"option_key_1\": true, \"option_key_2\": \"value\"}\n```",
-			expectError: false,
 			description: "JSON in code blocks should not trigger false positives",
 		},
 		{
 			name:        "Valid Markdown with inline code",
 			content:     "Use the `onclick` handler in your code",
-			expectError: false,
 			description: "Code references to event handlers should be allowed",
 		},
 		{
@@ -484,98 +480,77 @@ class LocalizationDeDuplicator:
         with open(self.locale_file_path, 'r', encoding='utf-8') as f:
             self.localization_data = json.load(f)
 ` + "```" + ``,
-			expectError: false,
 			description: "Complex real-world Markdown example should be allowed",
 		},
 		{
 			name:        "HTML script tag allowed (sanitized in handler)",
 			content:     "This is a note with <script>alert('xss')</script> dangerous content",
-			expectError: false,
 			description: "Script tags pass validation; sanitized by bluemonday in the handler layer",
 		},
 		{
 			name:        "HTML with onclick handler allowed (sanitized in handler)",
 			content:     "Click <a href='#' onclick='alert(1)'>here</a>",
-			expectError: false,
 			description: "HTML with event handlers passes validation; sanitized by bluemonday in the handler layer",
 		},
 		{
 			name:        "Iframe tag allowed (sanitized in handler)",
 			content:     "Embedded content: <iframe src='http://evil.com'></iframe>",
-			expectError: false,
 			description: "Iframe tags pass validation; sanitized by bluemonday in the handler layer",
 		},
 		{
 			name:        "HTML img tag allowed (sanitized in handler)",
 			content:     "Image: <img src='x' onerror='alert(1)'>",
-			expectError: false,
 			description: "HTML img tags pass validation; sanitized by bluemonday in the handler layer",
 		},
 		{
 			name:        "Valid Markdown with link",
 			content:     "Check out [this link](https://example.com)",
-			expectError: false,
 			description: "Markdown links should be allowed",
 		},
 		{
 			name:        "Valid Markdown with image",
 			content:     "![alt text](https://example.com/image.png)",
-			expectError: false,
 			description: "Markdown images should be allowed",
 		},
 		{
 			name:        "Valid empty content",
 			content:     "",
-			expectError: false,
 			description: "Empty content should pass validation (required validation is separate)",
 		},
 		{
 			name:        "HTML paragraph tag allowed (sanitized in handler)",
 			content:     "<p>This is HTML</p>",
-			expectError: false,
 			description: "HTML paragraph tags pass validation; sanitized by bluemonday in the handler layer",
 		},
 		{
 			name:        "HTML div tag allowed (sanitized in handler)",
 			content:     "<div class='container'>Content</div>",
-			expectError: false,
 			description: "HTML div tags pass validation; sanitized by bluemonday in the handler layer",
 		},
 		{
 			name:        "Valid Markdown with special characters",
 			content:     "Special chars: & < > \" ' are allowed in plain text",
-			expectError: false,
 			description: "Special characters in plain text should be allowed",
 		},
 		{
-			name:        "Template expression rejected",
+			name:        "Template expression allowed in markdown",
 			content:     "Hello {{ user }} world",
-			expectError: true,
-			description: "Template expressions should be rejected",
+			description: "Template expressions are permitted in markdown content",
 		},
 		{
-			name:        "Template expression in code block allowed",
-			content:     "```\n{{ user }}\n```",
-			expectError: false,
-			description: "Template expressions in code blocks should be allowed",
-		},
-		{
-			name:        "Template expression in inline code allowed",
-			content:     "Use `{{ template }}` syntax",
-			expectError: false,
-			description: "Template expressions in inline code should be allowed",
-		},
-		{
-			name:        "JavaScript template literal rejected",
+			name:        "JavaScript template literal allowed in markdown",
 			content:     "Hello ${ name } world",
-			expectError: true,
-			description: "JavaScript template interpolation should be rejected",
+			description: "Template interpolation is permitted in markdown content",
 		},
 		{
-			name:        "Server template tag rejected",
+			name:        "Server template tag allowed in markdown",
 			content:     "Hello <% code %> world",
-			expectError: true,
-			description: "Server template tags should be rejected",
+			description: "Server template tags are permitted in markdown content",
+		},
+		{
+			name:        "Terraform variable interpolation",
+			content:     "| OKE Cluster | `${var.name_prefix}-oke` |",
+			description: "Terraform variable syntax is permitted in markdown content",
 		},
 	}
 
@@ -587,17 +562,8 @@ class LocalizationDeDuplicator:
 				Name:    "Test Note",
 			}
 
-			// Run validation
 			err := ValidateNoteMarkdown(note)
-
-			if tt.expectError {
-				assert.Error(t, err, tt.description)
-				if err != nil {
-					assert.Contains(t, err.Error(), "unsafe", "Error should mention unsafe content")
-				}
-			} else {
-				assert.NoError(t, err, tt.description)
-			}
+			assert.NoError(t, err, tt.description)
 		})
 	}
 }

api/version.go

@@ -50,7 +50,7 @@ var (
 	// Minor version number
 	VersionMinor = "3"
 	// Patch version number
-	VersionPatch = "3"
+	VersionPatch = "4"
 	// VersionPreRelease is the pre-release label (e.g., "rc.0", "beta.1"), empty for stable releases
 	VersionPreRelease = ""
 	// GitCommit is the git commit hash from build