(filePath: string)
| 212 | * or validateTeamMemKey() which include symlink resolution. |
| 213 | */ |
| 214 | export function isTeamMemPath(filePath: string): boolean { |
| 215 | // SECURITY: resolve() converts to absolute and eliminates .. segments, |
| 216 | // preventing path traversal attacks (e.g. "team/../../etc/passwd") |
| 217 | const resolvedPath = resolve(filePath) |
| 218 | const teamDir = getTeamMemPath() |
| 219 | return resolvedPath.startsWith(teamDir) |
| 220 | } |
| 221 | |
| 222 | /** |
| 223 | * Validate that an absolute file path is safe for writing to the team memory directory. |
no test coverage detected