MCPcopy
hub / github.com/codeaashu/claude-code / isScratchpadPath

Function isScratchpadPath

src/utils/permissions/filesystem.ts:410–424  ·  view source on GitHub ↗
(absolutePath: string)

Source from the content-addressed store, hash-verified

408
409// Check if file is within the scratchpad directory
410function isScratchpadPath(absolutePath: string): boolean {
411 if (!isScratchpadEnabled()) {
412 return false
413 }
414 const scratchpadDir = getScratchpadDir()
415 // SECURITY: Normalize the path to resolve .. segments before checking
416 // This prevents path traversal bypasses like:
417 // echo "malicious" > /tmp/claude-0/proj/session/scratchpad/../../../etc/passwd
418 // Without normalization, the path would pass the startsWith check but write to /etc/passwd
419 const normalizedPath = normalize(absolutePath)
420 return (
421 normalizedPath === scratchpadDir ||
422 normalizedPath.startsWith(scratchpadDir + sep)
423 )
424}
425
426/**
427 * Check if a file path is dangerous to auto-edit without explicit permission.

Callers 2

Calls 3

isScratchpadEnabledFunction · 0.85
getScratchpadDirFunction · 0.85
normalizeFunction · 0.50

Tested by

no test coverage detected