fix: use realpath for MCP roots validation (#2127)

OrKoN · web-flow · commit 176eb695137d · 2026-05-26T13:04:43.000Z
diff --git a/src/McpContext.ts b/src/McpContext.ts
@@ -5,6 +5,7 @@
  */
 
 import fs from 'node:fs/promises';
+import fsPromises from 'node:fs/promises';
 import os from 'node:os';
 import path from 'node:path';
 import {fileURLToPath, pathToFileURL} from 'node:url';
@@ -45,7 +46,11 @@ import type {
   GeolocationOptions,
   ExtensionServiceWorker,
 } from './types.js';
-import {ensureExtension, getTempFilePath} from './utils/files.js';
+import {
+  ensureExtension,
+  getTempFilePath,
+  resolveCanonicalPath,
+} from './utils/files.js';
 import {getNetworkMultiplierFromString} from './WaitForHelper.js';
 
 interface McpContextOptions {
@@ -175,27 +180,58 @@ export class McpContext implements Context {
     this.#roots = roots;
   }
 
-  validatePath(filePath?: string): void {
+  async validatePath(filePath?: string): Promise<void> {
     if (filePath === undefined) {
       return;
     }
     const roots = this.roots();
     if (roots === undefined) {
       return;
     }
-    const absolutePath = path.resolve(filePath);
+
+    let canonicalPath: string;
+
+    try {
+      canonicalPath = await resolveCanonicalPath(filePath);
+    } catch (err) {
+      const errMsg = err instanceof Error ? err.message : String(err);
+      console.error(
+        `[MCP Context] Error resolving real path for ${filePath}: ${errMsg}`,
+      );
+      throw new Error(
+        `Access denied: Cannot resolve base path for ${filePath}.`,
+      );
+    }
+
+    let allowed = false;
     for (const root of roots) {
-      const rootPath = path.resolve(fileURLToPath(root.uri));
-      if (
-        absolutePath === rootPath ||
-        absolutePath.startsWith(rootPath + path.sep)
-      ) {
-        return;
+      try {
+        const rootPathUri = root.uri;
+        const rootPath = path.resolve(fileURLToPath(rootPathUri));
+        const canonicalRoot = await fsPromises.realpath(rootPath);
+
+        if (
+          canonicalPath === canonicalRoot ||
+          canonicalPath.startsWith(canonicalRoot + path.sep)
+        ) {
+          allowed = true;
+          break;
+        }
+      } catch (rootErr) {
+        const errMsg =
+          rootErr instanceof Error ? rootErr.message : String(rootErr);
+        console.warn(
+          `[MCP Context] Could not resolve configured root ${root.uri}: ${errMsg}`,
+        );
+        // Skip this root if it cannot be resolved.
       }
     }
-    throw new Error(
-      `Access denied: path ${filePath} is not within any of the workspace roots ${JSON.stringify(roots)}.`,
-    );
+
+    if (!allowed) {
+      throw new Error(
+        `Access denied: path ${filePath} (canonical: ${canonicalPath}) is not within any of the configured workspace roots.`,
+      );
+    }
   }
 
   resolveCdpRequestId(page: McpPage, cdpRequestId: string): number | undefined {
@@ -708,7 +744,7 @@ export class McpContext implements Context {
     filename: string,
   ): Promise<{filepath: string}> {
     const filepath = await getTempFilePath(filename);
-    this.validatePath(filepath);
+    await this.validatePath(filepath);
     try {
       await fs.writeFile(filepath, data);
     } catch (err) {
@@ -722,7 +758,7 @@ export class McpContext implements Context {
     clientProvidedFilePath: string,
     extension: SupportedExtensions,
   ): Promise<{filename: string}> {
-    this.validatePath(clientProvidedFilePath);
+    await this.validatePath(clientProvidedFilePath);
     try {
       const filePath = ensureExtension(
         path.resolve(clientProvidedFilePath),
@@ -794,7 +830,7 @@ export class McpContext implements Context {
   }
 
   async installExtension(extensionPath: string): Promise<string> {
-    this.validatePath(extensionPath);
+    await this.validatePath(extensionPath);
     const id = await this.browser.installExtension(extensionPath);
     return id;
   }
@@ -825,36 +861,37 @@ export class McpContext implements Context {
   async getHeapSnapshotAggregates(
     filePath: string,
   ): Promise<Record<string, AggregatedInfoWithId>> {
-    this.validatePath(filePath);
+    await this.validatePath(filePath);
     return await this.#heapSnapshotManager.getAggregates(filePath);
   }
 
   async getHeapSnapshotStats(
     filePath: string,
   ): Promise<DevTools.HeapSnapshotModel.HeapSnapshotModel.Statistics> {
-    this.validatePath(filePath);
+    await this.validatePath(filePath);
     return await this.#heapSnapshotManager.getStats(filePath);
   }
 
   async getHeapSnapshotStaticData(
     filePath: string,
   ): Promise<DevTools.HeapSnapshotModel.HeapSnapshotModel.StaticData | null> {
-    this.validatePath(filePath);
+    await this.validatePath(filePath);
     return await this.#heapSnapshotManager.getStaticData(filePath);
   }
 
   async getHeapSnapshotNodesById(
     filePath: string,
     id: number,
   ): Promise<DevTools.HeapSnapshotModel.HeapSnapshotModel.ItemsRange> {
-    this.validatePath(filePath);
+    await this.validatePath(filePath);
     return await this.#heapSnapshotManager.getNodesById(filePath, id);
   }
 
   async getHeapSnapshotRetainers(
     filePath: string,
     nodeId: number,
   ): Promise<DevTools.HeapSnapshotModel.HeapSnapshotModel.ItemsRange> {
+    await this.validatePath(filePath);
     return await this.#heapSnapshotManager.getRetainers(filePath, nodeId);
   }
 }
diff --git a/src/tools/ToolDefinition.ts b/src/tools/ToolDefinition.ts
@@ -173,7 +173,7 @@ export type SupportedExtensions =
  * Only add methods used by tools/*.
  */
 export type Context = Readonly<{
-  validatePath(filePath?: string): void;
+  validatePath(filePath?: string): Promise<void>;
   isRunningPerformanceTrace(): boolean;
   setIsRunningPerformanceTrace(x: boolean): void;
   isCruxEnabled(): boolean;
diff --git a/src/tools/input.ts b/src/tools/input.ts
@@ -463,7 +463,7 @@ export const uploadFile = definePageTool({
   blockedByDialog: true,
   handler: async (request, response, context) => {
     const {uid, filePath} = request.params;
-    context.validatePath(filePath);
+    await context.validatePath(filePath);
     const handle = (await request.page.getElementByUid(
       uid,
     )) as ElementHandle<HTMLInputElement>;
diff --git a/src/tools/lighthouse.ts b/src/tools/lighthouse.ts
@@ -59,7 +59,7 @@ export const lighthouseAudit = definePageTool({
       outputDirPath,
     } = request.params;
 
-    context.validatePath(outputDirPath);
+    await context.validatePath(outputDirPath);
 
     const flags: Flags = {
       onlyCategories: categories,
diff --git a/src/tools/memory.ts b/src/tools/memory.ts
@@ -25,7 +25,7 @@ export const takeHeapSnapshot = definePageTool({
   blockedByDialog: true,
   handler: async (request, response, context) => {
     const page = request.page;
-    context.validatePath(request.params.filePath);
+    await context.validatePath(request.params.filePath);
 
     await page.pptrPage.captureHeapSnapshot({
       path: ensureExtension(request.params.filePath, '.heapsnapshot'),
@@ -51,7 +51,7 @@ export const getHeapSnapshotSummary = defineTool({
   },
   blockedByDialog: false,
   handler: async (request, response, context) => {
-    context.validatePath(request.params.filePath);
+    await context.validatePath(request.params.filePath);
     const stats = await context.getHeapSnapshotStats(request.params.filePath);
     const staticData = await context.getHeapSnapshotStaticData(
       request.params.filePath,
@@ -83,7 +83,7 @@ export const getHeapSnapshotDetails = defineTool({
   },
   blockedByDialog: false,
   handler: async (request, response, context) => {
-    context.validatePath(request.params.filePath);
+    await context.validatePath(request.params.filePath);
     const aggregates = await context.getHeapSnapshotAggregates(
       request.params.filePath,
     );
@@ -112,7 +112,7 @@ export const getHeapSnapshotClassNodes = defineTool({
   },
   blockedByDialog: false,
   handler: async (request, response, context) => {
-    context.validatePath(request.params.filePath);
+    await context.validatePath(request.params.filePath);
     const nodes = await context.getHeapSnapshotNodesById(
       request.params.filePath,
       request.params.id,
@@ -142,7 +142,7 @@ export const getHeapSnapshotRetainers = defineTool({
     pageSize: zod.number().optional().describe('The page size for pagination.'),
   },
   handler: async (request, response, context) => {
-    context.validatePath(request.params.filePath);
+    await context.validatePath(request.params.filePath);
 
     const retainers = await context.getHeapSnapshotRetainers(
       request.params.filePath,
diff --git a/src/tools/network.ts b/src/tools/network.ts
@@ -116,8 +116,8 @@ export const getNetworkRequest = definePageTool({
   },
   blockedByDialog: true,
   handler: async (request, response, context) => {
-    context.validatePath(request.params.requestFilePath);
-    context.validatePath(request.params.responseFilePath);
+    await context.validatePath(request.params.requestFilePath);
+    await context.validatePath(request.params.responseFilePath);
     if (request.params.reqid) {
       response.attachNetworkRequest(request.params.reqid, {
         requestFilePath: request.params.requestFilePath,
diff --git a/src/tools/performance.ts b/src/tools/performance.ts
@@ -49,7 +49,7 @@ export const startTrace = definePageTool({
   },
   blockedByDialog: true,
   handler: async (request, response, context) => {
-    context.validatePath(request.params.filePath);
+    await context.validatePath(request.params.filePath);
     if (context.isRunningPerformanceTrace()) {
       response.appendResponseLine(
         'Error: a performance trace is already running. Use performance_stop_trace to stop it. Only one trace can be running at any given time.',
@@ -128,7 +128,7 @@ export const stopTrace = definePageTool({
   },
   blockedByDialog: true,
   handler: async (request, response, context) => {
-    context.validatePath(request.params.filePath);
+    await context.validatePath(request.params.filePath);
     if (!context.isRunningPerformanceTrace()) {
       return;
     }
diff --git a/src/tools/screencast.ts b/src/tools/screencast.ts
@@ -40,7 +40,7 @@ export const startScreencast = definePageTool(args => ({
   },
   blockedByDialog: false,
   handler: async (request, response, context) => {
-    context.validatePath(request.params.filePath);
+    await context.validatePath(request.params.filePath);
     if (context.getScreenRecorder() !== null) {
       response.appendResponseLine(
         'Error: a screencast recording is already in progress. Use screencast_stop to stop it before starting a new one.',
diff --git a/src/tools/screenshot.ts b/src/tools/screenshot.ts
@@ -52,7 +52,7 @@ export const screenshot = definePageTool({
   },
   blockedByDialog: true,
   handler: async (request, response, context) => {
-    context.validatePath(request.params.filePath);
+    await context.validatePath(request.params.filePath);
     if (request.params.uid && request.params.fullPage) {
       throw new Error('Providing both "uid" and "fullPage" is not allowed.');
     }
diff --git a/src/tools/script.ts b/src/tools/script.ts
@@ -81,7 +81,7 @@ Example with arguments: \`(el) => {
         filePath,
       } = request.params;
 
-      context.validatePath(filePath);
+      await context.validatePath(filePath);
 
       if (cliArgs?.categoryExtensions && serviceWorkerId) {
         if (uidArgs && uidArgs.length > 0) {
diff --git a/src/tools/snapshot.ts b/src/tools/snapshot.ts
@@ -35,7 +35,7 @@ in the DevTools Elements panel (if any).`,
   },
   blockedByDialog: true,
   handler: async (request, response, context) => {
-    context.validatePath(request.params.filePath);
+    await context.validatePath(request.params.filePath);
     response.includeSnapshot({
       verbose: request.params.verbose ?? false,
       filePath: request.params.filePath,
diff --git a/src/utils/files.ts b/src/utils/files.ts
@@ -22,3 +22,51 @@ export function ensureExtension(
   const ext = path.extname(filepath);
   return filepath.slice(0, filepath.length - ext.length) + extension;
 }
+
+export async function resolveCanonicalPath(filePath: string): Promise<string> {
+  const absolutePath = path.resolve(filePath);
+  try {
+    // Get the true canonical path, resolving all symlinks.
+    return await fs.realpath(absolutePath);
+  } catch (err) {
+    if (
+      err &&
+      typeof err === 'object' &&
+      'code' in err &&
+      err.code === 'ENOENT'
+    ) {
+      // Find the nearest existing ancestor directory on the filesystem.
+      let current = absolutePath;
+      const missingSegments: string[] = [];
+      while (true) {
+        const parent = path.dirname(current);
+        if (parent === current) {
+          // Reached root directory but still couldn't resolve anything.
+          throw err;
+        }
+        try {
+          const canonicalParent = await fs.realpath(parent);
+          return path.join(
+            canonicalParent,
+            path.basename(current),
+            ...missingSegments,
+          );
+        } catch (parentErr) {
+          if (
+            parentErr &&
+            typeof parentErr === 'object' &&
+            'code' in parentErr &&
+            parentErr.code === 'ENOENT'
+          ) {
+            missingSegments.unshift(path.basename(current));
+            current = parent;
+          } else {
+            throw parentErr;
+          }
+        }
+      }
+    } else {
+      throw err;
+    }
+  }
+}
diff --git a/tests/McpContext.test.ts b/tests/McpContext.test.ts
diff --git a/tests/roots.test.ts b/tests/roots.test.ts
diff --git a/tests/utils/files.test.ts b/tests/utils/files.test.ts

Original file line number	Diff line number	Diff line change
`@@ -52,7 +52,7 @@ export const screenshot = definePageTool({`
`52`	`52`	`},`
`53`	`53`	`blockedByDialog: true,`
`54`	`54`	`handler: async (request, response, context) => {`
`55`		`- context.validatePath(request.params.filePath);`
	`55`	`+ await context.validatePath(request.params.filePath);`
`56`	`56`	`if (request.params.uid && request.params.fullPage) {`
`57`	`57`	`throw new Error('Providing both "uid" and "fullPage" is not allowed.');`
`58`	`58`	`}`