MCPcopy Create free account
hub / github.com/atomicdotdev/atomic / validate_session_id

Function validate_session_id

atomic-agent/src/turn/session.rs:648–677  ·  view source on GitHub ↗

Validate a session ID to prevent path traversal. Rejects IDs containing `..`, `/`, `\`, or null bytes.

(session_id: &str)

Source from the content-addressed store, hash-verified

646///
647/// Rejects IDs containing `..`, `/`, `\`, or null bytes.
648fn validate_session_id(session_id: &str) -> AgentResult<()> {
649 if session_id.is_empty() {
650 return Err(AgentError::SessionIdInvalid {
651 session_id: "(empty)".to_string(),
652 });
653 }
654
655 if session_id.contains("..")
656 || session_id.contains('/')
657 || session_id.contains('\\')
658 || session_id.contains('\0')
659 {
660 return Err(AgentError::SessionIdInvalid {
661 session_id: session_id.to_string(),
662 });
663 }
664
665 // Reject very long session IDs (filesystem path limits)
666 if session_id.len() > 255 {
667 return Err(AgentError::SessionIdInvalid {
668 session_id: format!(
669 "{}... (too long: {} chars)",
670 &session_id[..20],
671 session_id.len()
672 ),
673 });
674 }
675
676 Ok(())
677}
678
679// Tests
680

Callers 5

loadMethod · 0.85
saveMethod · 0.85
clearMethod · 0.85

Calls 3

is_emptyMethod · 0.45
containsMethod · 0.45
lenMethod · 0.45

Tested by 2