fix(core): resolve nested plan directory duplication and relative path policies (#25138)

This commit is contained in:
Mahima Shanware
2026-04-21 14:20:57 -04:00
committed by GitHub
parent c260550146
commit a4e98c0a4c
17 changed files with 283 additions and 76 deletions
+15 -9
View File
@@ -31,30 +31,36 @@ describe('planUtils', () => {
describe('validatePlanPath', () => {
it('should return null for a valid path within plans directory', async () => {
const planPath = path.join('plans', 'test.md');
const fullPath = path.join(tempRootDir, planPath);
const planPath = 'test.md';
const fullPath = path.join(plansDir, planPath);
fs.writeFileSync(fullPath, '# My Plan');
const result = await validatePlanPath(planPath, plansDir);
const result = await validatePlanPath(planPath, plansDir, tempRootDir);
expect(result).toBeNull();
});
it('should return error for non-existent file', async () => {
const planPath = path.join('plans', 'ghost.md');
const result = await validatePlanPath(planPath, plansDir);
const planPath = 'ghost.md';
const result = await validatePlanPath(planPath, plansDir, tempRootDir);
expect(result).toContain('Plan file does not exist');
});
it('should detect path traversal via symbolic links', async () => {
const maliciousPath = path.join('plans', 'malicious.md');
const fullMaliciousPath = path.join(tempRootDir, maliciousPath);
const outsideFile = path.join(tempRootDir, 'outside.txt');
const maliciousPath = 'malicious.md';
const fullMaliciousPath = path.join(plansDir, maliciousPath);
// Create a file outside the plans directory
const outsideFile = path.join(tempRootDir, 'outside.md');
fs.writeFileSync(outsideFile, 'secret content');
// Create a symbolic link pointing outside the plans directory
fs.symlinkSync(outsideFile, fullMaliciousPath);
const result = await validatePlanPath(maliciousPath, plansDir);
const result = await validatePlanPath(
maliciousPath,
plansDir,
tempRootDir,
);
expect(result).toContain('Access denied');
});
});