indifferentketchup/boocode
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

chore: fix resolveProjectPath whitelist-root bypass

Browse Source 
The scope check at routes/projects.ts:56 short-circuited when
real === whitelistReal, allowing the whitelist directory itself to
resolve as a valid project root. Dropped the `real !== whitelistReal`
half of the && so the predicate becomes the strict prefix check.

Flipped the unit test from a "BEHAVIOR GAP" assertion (documenting
the bug) to a strict-rejection assertion. 23/23 tests still pass.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
indifferentketchup
2026-05-16 05:53:56 +00:00
parent 4a9f207fe8
commit 57c883b775
2 changed files with 8 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
apps/server/src/routes/projects.ts
View File

@@ -53,7 +53,7 @@ export async function resolveProjectPath(
return { error: 'path does not exist' };
}
const whitelistReal = await realpath(whitelist);
if (real !== whitelistReal && !real.startsWith(whitelistReal + sep)) {
if (!real.startsWith(whitelistReal + sep)) {
return { error: `path must be under ${whitelist}` };
}
if (!(await isDir(real))) return { error: 'path is not a directory' };