MCPcopy Index your code
hub / github.com/FlowiseAI/Flowise / isUnsafeFilePath

Function isUnsafeFilePath

packages/components/src/validator.ts:69–94  ·  view source on GitHub ↗
(filePath: string)

Source from the content-addressed store, hash-verified

67 * @returns {boolean} True if path traversal detected, false otherwise
68 */
69export const isUnsafeFilePath = (filePath: string): boolean => {
70 if (process.env.PATH_TRAVERSAL_SAFETY === 'false') {
71 return false
72 }
73
74 if (!filePath || typeof filePath !== 'string') {
75 return true
76 }
77
78 // Check for path traversal patterns
79 const dangerousPatterns = [
80 /\.\./, // Directory traversal (..)
81 /%2e%2e/i, // URL encoded ..
82 /%2f/i, // URL encoded /
83 /%5c/i, // URL encoded \
84 /\0/, // Null bytes
85 // eslint-disable-next-line no-control-regex
86 /[\x00-\x1f]/, // Control characters
87 /^\/[^/]/, // Absolute Unix paths (starting with /)
88 /^[a-zA-Z]:\\/, // Absolute Windows paths (C:\)
89 /^\\\\[^\\]/, // UNC paths (\\server\)
90 /^\\\\\?\\/ // Extended-length paths (\\?\)
91 ]
92
93 return dangerousPatterns.some((pattern) => pattern.test(filePath))
94}
95
96/**
97 * Validates filename format and security

Callers 5

validator.test.tsFile · 0.90
sanitizeFilenameFunction · 0.90
validateFilenameFunction · 0.85
sanitizeFileNameFunction · 0.85
streamUploadedFileFunction · 0.85

Calls 1

testMethod · 0.80

Tested by

no test coverage detected