fix: normalize path separators for cross-platform security

GhostTypes · GhostTypes · commit a1c1edd3eb39 · 2025-12-05T22:31:42.000-05:00
- Normalize backslashes to forward slashes before path resolution
- Use path.resolve() for proper absolute path handling on all OS
- Add additional path traversal test cases (multi-level, absolute paths)
- Fixes CI test failure on Linux where backslash wasn't recognized as separator
diff --git a/src/tools/read.ts b/src/tools/read.ts
@@ -5,10 +5,15 @@ import { DocFile } from '../types.js';
 
 export function readDoc(relativePath: string): string | null {
     const docsDir = getDocsDir();
-    const fullPath = path.join(docsDir, relativePath);
+
+    // Normalize path separators to forward slashes for cross-platform consistency
+    const normalizedPath = relativePath.replace(/\\/g, '/');
+    const fullPath = path.resolve(docsDir, normalizedPath);
+    const normalizedDocsDir = path.resolve(docsDir);
 
     // Security check: ensure the resolved path is inside docsDir
-    if (!fullPath.startsWith(docsDir)) {
+    // Use path.resolve to get absolute paths and handle .. correctly
+    if (!fullPath.startsWith(normalizedDocsDir + path.sep) && fullPath !== normalizedDocsDir) {
         throw new Error("Access denied: Path is outside of docs directory.");
     }
 
diff --git a/tests/integration.test.ts b/tests/integration.test.ts
@@ -52,12 +52,24 @@ describe('Baritone Docs MCP Integration', () => {
     });
 
     it('should protect against path traversal in readDoc', async () => {
+        // Test Unix-style path traversal
         expect(() => {
             readDoc('../package.json');
         }).toThrow(/Access denied/);
 
+        // Test Windows-style path traversal (now normalized on all platforms)
         expect(() => {
-            readDoc('..\\package.json'); // Windows style
+            readDoc('..\\package.json');
+        }).toThrow(/Access denied/);
+
+        // Test multiple levels of traversal
+        expect(() => {
+            readDoc('../../package.json');
+        }).toThrow(/Access denied/);
+
+        // Test absolute paths
+        expect(() => {
+            readDoc('/etc/passwd');
         }).toThrow(/Access denied/);
     });
 
