fix(core): harden traversal check against Windows dot/space normalization

jope-bm · claude · jope-bm · commit 3903d3599515 · 2026-03-15T21:23:00.000-06:00
Block segments like ".. " and ".. ." that Windows normalizes to "..",
preventing path traversal on Windows filesystems.

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
Signed-off-by: Joe P &lt;joe@basicmemory.com&gt;
diff --git a/src/basic_memory/utils.py b/src/basic_memory/utils.py
@@ -509,8 +509,13 @@ def valid_project_path_value(path: str):
 
     # Check for ".." as a path segment (path traversal), not as a substring.
     # Filenames like "hi-everyone..md" are legitimate and must not be blocked.
+    # Also block segments like ".. " and ".. ." because Windows normalizes
+    # trailing dots and spaces away, making them equivalent to "..".
     segments = path.replace("\\", "/").split("/")
-    if any(seg == ".." for seg in segments):
+    if any(
+        seg == ".." or (len(seg) > 2 and seg[:2] == ".." and all(c in ". " for c in seg[2:]))
+        for seg in segments
+    ):
         return False
 
     # Check for Windows-style leading backslash
diff --git a/tests/utils/test_validate_project_path.py b/tests/utils/test_validate_project_path.py
@@ -227,6 +227,10 @@ def test_actual_traversal_still_blocked(self, tmp_path):
             "notes/../../etc/passwd",
             "foo/../../../bar",
             "..\\Windows\\System32",
+            # Windows normalizes trailing dots/spaces to ".."
+            ".. /file.md",
+            ".. ./file.md",
+            "notes/.. /etc/passwd",
         ]
 
         for path in attack_paths:
