initial

2026-05-14 19:24:50 +00:00
parent af0628867f
commit a7f218e182
63 changed files with 10539 additions and 0 deletions
--- a/apps/server/src/services/path_guard.ts
+++ b/apps/server/src/services/path_guard.ts
@@ -0,0 +1,39 @@
+import { realpath } from 'node:fs/promises';
+import { isAbsolute, resolve, sep } from 'node:path';
+
+export class PathScopeError extends Error {
+  constructor(message: string) {
+    super(message);
+    this.name = 'PathScopeError';
+  }
+}
+
+export async function resolveProjectRoot(projectPath: string): Promise<string> {
+  try {
+    return await realpath(projectPath);
+  } catch {
+    throw new PathScopeError(`project path does not exist: ${projectPath}`);
+  }
+}
+
+export async function pathGuard(
+  projectRoot: string,
+  requested: string
+): Promise<string> {
+  if (typeof requested !== 'string' || requested.length === 0) {
+    throw new PathScopeError('path is required');
+  }
+  const candidate = isAbsolute(requested) ? requested : resolve(projectRoot, requested);
+  let real: string;
+  try {
+    real = await realpath(candidate);
+  } catch {
+    throw new PathScopeError(`path does not exist: ${requested}`);
+  }
+  if (real !== projectRoot && !real.startsWith(projectRoot + sep)) {
+    throw new PathScopeError(
+      `path escapes project root: ${requested} -> ${real}`
+    );
+  }
+  return real;
+}