(filePath: string)
| 198 | } |
| 199 | |
| 200 | export function isClaudeSettingsPath(filePath: string): boolean { |
| 201 | // SECURITY: Normalize path structure first to prevent bypass via redundant ./ |
| 202 | // sequences like `./.claude/./settings.json` which would evade the endsWith() check |
| 203 | const expandedPath = expandPath(filePath) |
| 204 | |
| 205 | // Normalize for case-insensitive comparison to prevent bypassing security |
| 206 | // with paths like .cLauDe/Settings.locaL.json |
| 207 | const normalizedPath = normalizeCaseForComparison(expandedPath) |
| 208 | |
| 209 | // Use platform separator so endsWith checks work on both Unix (/) and Windows (\) |
| 210 | if ( |
| 211 | normalizedPath.endsWith(`${sep}.claude${sep}settings.json`) || |
| 212 | normalizedPath.endsWith(`${sep}.claude${sep}settings.local.json`) |
| 213 | ) { |
| 214 | // Include .claude/settings.json even for other projects |
| 215 | return true |
| 216 | } |
| 217 | // Check for current project's settings files (including managed settings and CLI args) |
| 218 | // Both paths are now absolute and normalized for consistent comparison |
| 219 | return getSettingsPaths().some( |
| 220 | settingsPath => normalizeCaseForComparison(settingsPath) === normalizedPath, |
| 221 | ) |
| 222 | } |
| 223 | |
| 224 | // Always ask when Claude Code tries to edit its own config files |
| 225 | function isClaudeConfigFilePath(filePath: string): boolean { |
no test coverage detected