(filePath: string)
| 76 | |
| 77 | /** Validate a file path for reading (eval command). */ |
| 78 | export function validateReadPath(filePath: string): void { |
| 79 | const resolved = path.resolve(filePath); |
| 80 | let realPath: string; |
| 81 | try { |
| 82 | realPath = fs.realpathSync(resolved); |
| 83 | } catch (err: any) { |
| 84 | if (err.code === 'ENOENT') { |
| 85 | try { |
| 86 | const dir = fs.realpathSync(path.dirname(resolved)); |
| 87 | realPath = path.join(dir, path.basename(resolved)); |
| 88 | } catch { |
| 89 | realPath = resolved; |
| 90 | } |
| 91 | } else { |
| 92 | throw new Error(`Cannot resolve real path: ${filePath} (${err.code})`); |
| 93 | } |
| 94 | } |
| 95 | const isSafe = SAFE_DIRECTORIES.some(dir => isPathWithin(realPath, dir)); |
| 96 | if (!isSafe) { |
| 97 | throw new Error(`Path must be within: ${SAFE_DIRECTORIES.join(', ')}`); |
| 98 | } |
| 99 | } |
| 100 | |
| 101 | /** Validate a file path for remote serving (GET /file). TEMP_DIR only, not cwd. */ |
| 102 | export function validateTempPath(filePath: string): void { |
no test coverage detected