({ file_path, content }, toolUseContext: ToolUseContext)
| 151 | return '' |
| 152 | }, |
| 153 | async validateInput({ file_path, content }, toolUseContext: ToolUseContext) { |
| 154 | const fullFilePath = expandPath(file_path) |
| 155 | |
| 156 | // Reject writes to team memory files that contain secrets |
| 157 | const secretError = checkTeamMemSecrets(fullFilePath, content) |
| 158 | if (secretError) { |
| 159 | return { result: false, message: secretError, errorCode: 0 } |
| 160 | } |
| 161 | |
| 162 | // Check if path should be ignored based on permission settings |
| 163 | const appState = toolUseContext.getAppState() |
| 164 | const denyRule = matchingRuleForInput( |
| 165 | fullFilePath, |
| 166 | appState.toolPermissionContext, |
| 167 | 'edit', |
| 168 | 'deny', |
| 169 | ) |
| 170 | if (denyRule !== null) { |
| 171 | return { |
| 172 | result: false, |
| 173 | message: |
| 174 | 'File is in a directory that is denied by your permission settings.', |
| 175 | errorCode: 1, |
| 176 | } |
| 177 | } |
| 178 | |
| 179 | // SECURITY: Skip filesystem operations for UNC paths to prevent NTLM credential leaks. |
| 180 | // On Windows, fs.existsSync() on UNC paths triggers SMB authentication which could |
| 181 | // leak credentials to malicious servers. Let the permission check handle UNC paths. |
| 182 | if (fullFilePath.startsWith('\\\\') || fullFilePath.startsWith('//')) { |
| 183 | return { result: true } |
| 184 | } |
| 185 | |
| 186 | const fs = getFsImplementation() |
| 187 | let fileMtimeMs: number |
| 188 | try { |
| 189 | const fileStat = await fs.stat(fullFilePath) |
| 190 | fileMtimeMs = fileStat.mtimeMs |
| 191 | } catch (e) { |
| 192 | if (isENOENT(e)) { |
| 193 | return { result: true } |
| 194 | } |
| 195 | throw e |
| 196 | } |
| 197 | |
| 198 | const readTimestamp = toolUseContext.readFileState.get(fullFilePath) |
| 199 | if (!readTimestamp || readTimestamp.isPartialView) { |
| 200 | return { |
| 201 | result: false, |
| 202 | message: |
| 203 | 'File has not been read yet. Read it first before writing to it.', |
| 204 | errorCode: 2, |
| 205 | } |
| 206 | } |
| 207 | |
| 208 | // Reuse mtime from the stat above — avoids a redundant statSync via |
| 209 | // getFileModificationTime. The readTimestamp guard above ensures this |
| 210 | // block is always reached when the file exists. |
nothing calls this directly
no test coverage detected