MCPcopy
hub / github.com/garrytan/gstack / validateReadPath

Function validateReadPath

browse/src/path-security.ts:78–99  ·  view source on GitHub ↗
(filePath: string)

Source from the content-addressed store, hash-verified

76
77/** Validate a file path for reading (eval command). */
78export function validateReadPath(filePath: string): void {
79 const resolved = path.resolve(filePath);
80 let realPath: string;
81 try {
82 realPath = fs.realpathSync(resolved);
83 } catch (err: any) {
84 if (err.code === 'ENOENT') {
85 try {
86 const dir = fs.realpathSync(path.dirname(resolved));
87 realPath = path.join(dir, path.basename(resolved));
88 } catch {
89 realPath = resolved;
90 }
91 } else {
92 throw new Error(`Cannot resolve real path: ${filePath} (${err.code})`);
93 }
94 }
95 const isSafe = SAFE_DIRECTORIES.some(dir => isPathWithin(realPath, dir));
96 if (!isSafe) {
97 throw new Error(`Path must be within: ${SAFE_DIRECTORIES.join(', ')}`);
98 }
99}
100
101/** Validate a file path for remote serving (GET /file). TEMP_DIR only, not cwd. */
102export function validateTempPath(filePath: string): void {

Callers 5

handleWriteCommandFunction · 0.90
parsePdfFromFileFunction · 0.90
validateNavigationUrlFunction · 0.90
handleReadCommandFunction · 0.90

Calls 1

isPathWithinFunction · 0.90

Tested by

no test coverage detected