(filePath: string)
| 52 | * - No restrictions are configured (backward compatibility) |
| 53 | */ |
| 54 | export function isPathAllowed(filePath: string): boolean { |
| 55 | const resolvedPath = path.resolve(filePath); |
| 56 | |
| 57 | // Always allow appData directory (settings, credentials) |
| 58 | if (dataDirectory && isPathWithinDirectory(resolvedPath, dataDirectory)) { |
| 59 | return true; |
| 60 | } |
| 61 | |
| 62 | // If no ALLOWED_ROOT_DIRECTORY restriction is configured, allow all paths |
| 63 | // Note: DATA_DIR is checked above as an exception, but doesn't restrict other paths |
| 64 | if (!allowedRootDirectory) { |
| 65 | return true; |
| 66 | } |
| 67 | |
| 68 | // Allow if within ALLOWED_ROOT_DIRECTORY |
| 69 | if (allowedRootDirectory && isPathWithinDirectory(resolvedPath, allowedRootDirectory)) { |
| 70 | return true; |
| 71 | } |
| 72 | |
| 73 | // If restrictions are configured but path doesn't match, deny |
| 74 | return false; |
| 75 | } |
| 76 | |
| 77 | /** |
| 78 | * Validate a path - resolves it and checks permissions |
no test coverage detected