( cleanPath: string, cwd: string, toolPermissionContext: ToolPermissionContext, operationType: FileOperationType, )
| 267 | * Returns the validation result for the base path where the glob would expand. |
| 268 | */ |
| 269 | export function validateGlobPattern( |
| 270 | cleanPath: string, |
| 271 | cwd: string, |
| 272 | toolPermissionContext: ToolPermissionContext, |
| 273 | operationType: FileOperationType, |
| 274 | ): ResolvedPathCheckResult { |
| 275 | if (containsPathTraversal(cleanPath)) { |
| 276 | // For patterns with path traversal, resolve the full path |
| 277 | const absolutePath = isAbsolute(cleanPath) |
| 278 | ? cleanPath |
| 279 | : resolve(cwd, cleanPath) |
| 280 | const { resolvedPath, isCanonical } = safeResolvePath( |
| 281 | getFsImplementation(), |
| 282 | absolutePath, |
| 283 | ) |
| 284 | const result = isPathAllowed( |
| 285 | resolvedPath, |
| 286 | toolPermissionContext, |
| 287 | operationType, |
| 288 | isCanonical ? [resolvedPath] : undefined, |
| 289 | ) |
| 290 | return { |
| 291 | allowed: result.allowed, |
| 292 | resolvedPath, |
| 293 | decisionReason: result.decisionReason, |
| 294 | } |
| 295 | } |
| 296 | |
| 297 | const basePath = getGlobBaseDirectory(cleanPath) |
| 298 | const absoluteBasePath = isAbsolute(basePath) |
| 299 | ? basePath |
| 300 | : resolve(cwd, basePath) |
| 301 | const { resolvedPath, isCanonical } = safeResolvePath( |
| 302 | getFsImplementation(), |
| 303 | absoluteBasePath, |
| 304 | ) |
| 305 | const result = isPathAllowed( |
| 306 | resolvedPath, |
| 307 | toolPermissionContext, |
| 308 | operationType, |
| 309 | isCanonical ? [resolvedPath] : undefined, |
| 310 | ) |
| 311 | return { |
| 312 | allowed: result.allowed, |
| 313 | resolvedPath, |
| 314 | decisionReason: result.decisionReason, |
| 315 | } |
| 316 | } |
| 317 | |
| 318 | const WINDOWS_DRIVE_ROOT_REGEX = /^[A-Za-z]:\/?$/ |
| 319 | const WINDOWS_DRIVE_CHILD_REGEX = /^[A-Za-z]:\/[^/]+$/ |
no test coverage detected