fix: resolve code scanning findings in commands and wizard

Add bounds check (0 to MaxUint32) before casting strconv.Atoi result
to uint32 in the rights command handler. Replace manual allowlist
validation with pq.QuoteIdentifier for CREATE DATABASE to eliminate
the SQL injection finding.

server/channelserver/handlers_commands.go

@@ -258,7 +258,7 @@ func parseChatCommand(s *Session, command string) {
 		if commands["Rights"].Enabled || s.isOp() {
 			if len(args) > 1 {
 				v, err := strconv.Atoi(args[1])
-				if err != nil {
+				if err != nil || v < 0 || v > math.MaxUint32 {
 					sendServerChatMessage(s, fmt.Sprintf(s.server.i18n.commands.rights.error, commands["Rights"].Prefix))
 					return
 				}

server/setup/wizard.go

@@ -6,6 +6,8 @@ import (
 	"fmt"
 	"net"
 	"os"
+
+	"github.com/lib/pq"
 )
 
 // clientModes returns all supported client version strings.
@@ -150,14 +152,7 @@ func createDatabase(host string, port int, user, password, dbName string) error
 	}
 	defer func() { _ = db.Close() }()
 
-	// Database names can't be parameterized; validate it's alphanumeric + underscores.
+	_, err = db.Exec("CREATE DATABASE " + pq.QuoteIdentifier(dbName))
-	for _, c := range dbName {
-		if (c < 'a' || c > 'z') && (c < 'A' || c > 'Z') && (c < '0' || c > '9') && c != '_' {
-			return fmt.Errorf("invalid database name %q: only alphanumeric characters and underscores allowed", dbName)
-		}
-	}
-
-	_, err = db.Exec(fmt.Sprintf("CREATE DATABASE %s", dbName))
 	if err != nil {
 		return fmt.Errorf("creating database: %w", err)
 	}