( path: string, cwd: string, toolPermissionContext: ToolPermissionContext, operationType: FileOperationType, )
| 371 | * Returns whether the path is allowed and the resolved path for error messages. |
| 372 | */ |
| 373 | export function validatePath( |
| 374 | path: string, |
| 375 | cwd: string, |
| 376 | toolPermissionContext: ToolPermissionContext, |
| 377 | operationType: FileOperationType, |
| 378 | ): ResolvedPathCheckResult { |
| 379 | // Remove surrounding quotes if present |
| 380 | const cleanPath = expandTilde(path.replace(/^['"]|['"]$/g, '')) |
| 381 | |
| 382 | // SECURITY: Block UNC paths that could leak credentials |
| 383 | if (containsVulnerableUncPath(cleanPath)) { |
| 384 | return { |
| 385 | allowed: false, |
| 386 | resolvedPath: cleanPath, |
| 387 | decisionReason: { |
| 388 | type: 'other', |
| 389 | reason: 'UNC network paths require manual approval', |
| 390 | }, |
| 391 | } |
| 392 | } |
| 393 | |
| 394 | // SECURITY: Reject tilde variants (~user, ~+, ~-, ~N) that expandTilde doesn't handle. |
| 395 | // expandTilde resolves ~ and ~/ to $HOME, but ~root, ~+, ~- etc. are left as literal |
| 396 | // text and resolved as relative paths (e.g., /cwd/~root/.ssh/id_rsa). |
| 397 | // The shell expands these differently (~root → /var/root, ~+ → $PWD, ~- → $OLDPWD), |
| 398 | // creating a TOCTOU gap: we validate /cwd/~root/... but bash reads /var/root/... |
| 399 | // This check is safe from false positives because expandTilde already converted |
| 400 | // ~ and ~/ to absolute paths starting with /, so only unexpanded variants remain. |
| 401 | if (cleanPath.startsWith('~')) { |
| 402 | return { |
| 403 | allowed: false, |
| 404 | resolvedPath: cleanPath, |
| 405 | decisionReason: { |
| 406 | type: 'other', |
| 407 | reason: |
| 408 | 'Tilde expansion variants (~user, ~+, ~-) in paths require manual approval', |
| 409 | }, |
| 410 | } |
| 411 | } |
| 412 | |
| 413 | // SECURITY: Reject paths containing ANY shell expansion syntax ($ or % characters, |
| 414 | // or paths starting with = which triggers Zsh equals expansion) |
| 415 | // - $VAR (Unix/Linux environment variables like $HOME, $PWD) |
| 416 | // - ${VAR} (brace expansion) |
| 417 | // - $(cmd) (command substitution) |
| 418 | // - %VAR% (Windows environment variables like %TEMP%, %USERPROFILE%) |
| 419 | // - Nested combinations like $(echo $HOME) |
| 420 | // - =cmd (Zsh equals expansion, e.g. =rg expands to /usr/bin/rg) |
| 421 | // All of these are preserved as literal strings during validation but expanded |
| 422 | // by the shell during execution, creating a TOCTOU vulnerability |
| 423 | if ( |
| 424 | cleanPath.includes('$') || |
| 425 | cleanPath.includes('%') || |
| 426 | cleanPath.startsWith('=') |
| 427 | ) { |
| 428 | return { |
| 429 | allowed: false, |
| 430 | resolvedPath: cleanPath, |
nothing calls this directly
no test coverage detected