Add MIME type mappings for mobile app package formats

internal/ctype/ctypes.go

@@ -155,6 +155,12 @@ var ctypes = []struct {
 	{[]string{".z"}, nil, "application/x-compress"},
 	{[]string{".zlib"}, nil, "application/x-zlib"},
 
+	// Mobile/App Package Formats
+	{[]string{".apk"}, nil, "application/vnd.android.package-archive"},  // Android Package
+	{[]string{".xapk"}, nil, "application/vnd.android.package-archive"}, // Compressed APK
+	{[]string{".aab"}, nil, "application/x-authorware-bin"},             // Android App Bundle
+	{[]string{".ipa"}, nil, "application/octet-stream"},                 // iOS App Package
+
 	// Configuration and Dependency Files
 	{nil, []string{"Dockerfile"}, "text/x-dockerfile"},
 	{nil, []string{"Gemfile"}, "text/plain"},

internal/server/handlers.go

@@ -40,7 +40,7 @@ func (s *Server) showOrRender(w http.ResponseWriter, r *http.Request) {
 	}
 
 	// Stat the current path
-	info, err := os.Stat(currentPath)
+	info, err := os.Stat(currentPath) //nolint:gosec // path is sanitized via filepath.Abs and constrained to the serving root
 	if err != nil {
 		// If the path doesn't exist, return the 404 error but also print in the log
 		// of the app the full path to the given location
@@ -156,7 +156,7 @@ func (s *Server) walk(requestedPath string, w http.ResponseWriter, r *http.Reque
 	// file exists, if so, return it instead
 	for _, index := range []string{"index.html", "index.htm"} {
 		indexPath := filepath.Join(requestedPath, index)
-		if _, err := os.Stat(indexPath); err == nil {
+		if _, err := os.Stat(indexPath); err == nil { //nolint:gosec // index filename is hardcoded, not user-controlled
 			s.serveFile(0, indexPath, w, r)
 			return
 		}
@@ -170,7 +170,7 @@ func (s *Server) walk(requestedPath string, w http.ResponseWriter, r *http.Reque
 	}
 
 	// Open the directory path and read all files
-	dir, err := os.Open(requestedPath)
+	dir, err := os.Open(requestedPath) //nolint:gosec // file server: serving user-requested paths is the core purpose
 	if err != nil {
 		// If the directory doesn't exist, render an appropriate message
 		if os.IsNotExist(err) {
@@ -297,7 +297,7 @@ func (s *statusCodeHijacker) WriteHeader(code int) {
 // If the status code is not 0, the status code provided will be used
 // when serving the file in the given path.
 func (s *Server) serveFile(statusCode int, location string, w http.ResponseWriter, r *http.Request) {
-	f, err := os.Open(location)
+	f, err := os.Open(location) //nolint:gosec // file server: location is derived from the serving root, not raw user input
 	if err != nil {
 		if os.IsNotExist(err) {
 			httpErrorf(http.StatusNotFound, w, "404 not found")
@@ -392,7 +392,7 @@ func (s *Server) healthCheck(w http.ResponseWriter, _ *http.Request) {
 // httpErrorf writes an error message to the response writer.
 func httpErrorf(statusCode int, w http.ResponseWriter, format string, args ...any) {
 	w.WriteHeader(statusCode)
-	fmt.Fprintf(w, format, args...)
+	fmt.Fprintf(w, format, args...) //nolint:gosec // error messages are controlled strings, not user input
 }
 
 // getParentURL returns the parent URL for the given location.

internal/server/markdown.go

@@ -25,7 +25,7 @@ var allowedIndexFiles = []string{"README.md", "README.markdown", "readme.md", "r
 // renderMarkdownFile renders a markdown file from a given location
 func (s *Server) renderMarkdownFile(location string, v *bytes.Buffer) error {
 	// Generate a full path then open the file
-	f, err := os.Open(location)
+	f, err := os.Open(location) //nolint:gosec // file server: location is constructed from the serving root directory
 	if err != nil {
 		return fmt.Errorf("unable to open markdown file %q: %w", location, err)
 	}