(absolutePath: string)
| 408 | |
| 409 | // Check if file is within the scratchpad directory |
| 410 | function isScratchpadPath(absolutePath: string): boolean { |
| 411 | if (!isScratchpadEnabled()) { |
| 412 | return false |
| 413 | } |
| 414 | const scratchpadDir = getScratchpadDir() |
| 415 | // SECURITY: Normalize the path to resolve .. segments before checking |
| 416 | // This prevents path traversal bypasses like: |
| 417 | // echo "malicious" > /tmp/claude-0/proj/session/scratchpad/../../../etc/passwd |
| 418 | // Without normalization, the path would pass the startsWith check but write to /etc/passwd |
| 419 | const normalizedPath = normalize(absolutePath) |
| 420 | return ( |
| 421 | normalizedPath === scratchpadDir || |
| 422 | normalizedPath.startsWith(scratchpadDir + sep) |
| 423 | ) |
| 424 | } |
| 425 | |
| 426 | /** |
| 427 | * Check if a file path is dangerous to auto-edit without explicit permission. |
no test coverage detected