Update main.go to allow HOST environment variable for host binding and improve error handling in API response. Update app.go to enforce stricter file permissions and ensure valid file paths when loading files.

desktop/app.go

@@ -6,6 +6,7 @@ import (
 	"net"
 	"net/http"
 	"os"
+	"path/filepath"
 	"time"
 
 	"github.com/wailsapp/wails/v2/pkg/runtime"
@@ -128,7 +129,7 @@ func (a *App) SaveFile(filename string, content string) error {
 		return nil // Cancelled
 	}
 
-	return os.WriteFile(filePath, []byte(content), 0644)
+	return os.WriteFile(filePath, []byte(content), 0600)
 }
 
 // LoadFile shows an open dialog and returns the content of the selected file
@@ -150,10 +151,15 @@ func (a *App) LoadFile() (string, error) {
 		return "", nil // Cancelled
 	}
 
-	content, err := os.ReadFile(filePath)
+	absPath, err := filepath.Abs(filePath)
+	if err != nil {
+		return "", fmt.Errorf("invalid file path: %w", err)
+	}
+	cleanPath := filepath.Clean(absPath)
+
+	content, err := os.ReadFile(cleanPath)
 	if err != nil {
 		return "", err
 	}
 	return string(content), nil
 }
-

desktop/main.go

@@ -50,4 +50,3 @@ func main() {
 		println("Error:", err.Error())
 	}
 }
-

main.go

@@ -78,6 +78,10 @@ func main() {
 		}
 	}
 
+	if hostEnv := os.Getenv("HOST"); hostEnv != "" {
+		*host = hostEnv
+	}
+
 	if *port == "" {
 		*port = os.Getenv("PORT")
 		if *port == "" {
@@ -90,7 +94,9 @@ func main() {
 
 	http.HandleFunc("/api/ping", cors(func(w http.ResponseWriter, r *http.Request) {
 		w.Header().Set("Content-Type", "application/json")
-		w.Write([]byte(`{"status":"ok"}`))
+		if _, err := w.Write([]byte(`{"status":"ok"}`)); err != nil {
+			log.Printf("Error writing response: %v", err)
+		}
 	}))
 
 	// Static Assets
@@ -138,4 +144,3 @@ func main() {
 		log.Fatal(err)
 	}
 }
-