feat: add test for validate path

Author: paradite

.github/workflows/validate-path-test.yml

@@ -0,0 +1,34 @@
+name: Validate Path Tests
+
+on:
+  push:
+    paths-ignore:
+      - '**.md'
+      - '**.txt'
+      - '.github/**'
+  pull_request:
+    paths-ignore:
+      - '**.md'
+      - '**.txt'
+      - '.github/**'
+
+jobs:
+  test:
+    strategy:
+      matrix:
+        os: [ubuntu-latest, macos-latest, windows-latest]
+    runs-on: ${{ matrix.os }}
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          cache: 'npm'
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Run validate path tests
+        run: npm run test:ci

__tests__/validatePath.test.ts

@@ -0,0 +1,96 @@
+import {validatePath} from '../utils/fileUtils';
+import fs from 'fs/promises';
+import path from 'path';
+import os from 'os';
+
+describe('validatePath', () => {
+  const testDir = path.join(process.cwd(), 'sample-validate-path');
+  const allowedDirectories = [testDir];
+
+  beforeAll(async () => {
+    // Create test directory and ensure it's clean
+    await fs.rm(testDir, {recursive: true, force: true});
+    await fs.mkdir(testDir, {recursive: true});
+  });
+
+  afterAll(async () => {
+    // Clean up test directory
+    await fs.rm(testDir, {recursive: true, force: true});
+  });
+
+  beforeEach(async () => {
+    // Clean up any leftover symlinks before each test
+    try {
+      await fs.unlink(path.join(testDir, 'symlink.txt'));
+    } catch (error) {
+      // Ignore errors if file doesn't exist
+    }
+  });
+
+  test('should validate path within allowed directories', async () => {
+    const testFilePath = path.join(testDir, 'test.txt');
+    const validatedPath = await validatePath(testFilePath, allowedDirectories);
+    expect(validatedPath).toBe(path.resolve(testFilePath));
+  });
+
+  test('should expand home directory path', async () => {
+    const homePath = '~/test.txt';
+    const expandedPath = path.join(os.homedir(), 'test.txt');
+    const validatedPath = await validatePath(homePath, [os.homedir()]);
+    expect(validatedPath).toBe(path.resolve(expandedPath));
+  });
+
+  test('should throw error for path outside allowed directories', async () => {
+    const outsidePath = path.join(process.cwd(), 'outside.txt');
+    await expect(validatePath(outsidePath, allowedDirectories)).rejects.toThrow(
+      'Access denied - path outside allowed directories',
+    );
+  });
+
+  test('should handle symlinks within allowed directories pointing to allowed directories', async () => {
+    const targetPath = path.join(testDir, 'target.txt');
+    const symlinkPath = path.join(testDir, 'symlink.txt');
+
+    // Create target file
+    await fs.writeFile(targetPath, 'test content');
+    await fs.symlink(targetPath, symlinkPath);
+
+    const validatedPath = await validatePath(symlinkPath, allowedDirectories);
+    expect(validatedPath).toBe(path.resolve(targetPath));
+
+    // Clean up
+    await fs.unlink(symlinkPath);
+    await fs.unlink(targetPath);
+  });
+
+  test('should allow symlinks within allowed directories pointing outside', async () => {
+    const outsidePath = path.join(process.cwd(), 'outside.txt');
+    const symlinkPath = path.join(testDir, 'symlink.txt');
+
+    // Create target file outside allowed directories
+    await fs.writeFile(outsidePath, 'test content');
+    await fs.symlink(outsidePath, symlinkPath);
+
+    const validatedPath = await validatePath(symlinkPath, allowedDirectories);
+    expect(validatedPath).toBe(path.resolve(outsidePath));
+
+    // Clean up
+    await fs.unlink(symlinkPath);
+    await fs.unlink(outsidePath);
+  });
+
+  test('should handle non-existent files with valid parent directory', async () => {
+    const newDir = path.join(testDir, 'new');
+    await fs.mkdir(newDir, {recursive: true});
+    const newFilePath = path.join(newDir, 'file.txt');
+    const validatedPath = await validatePath(newFilePath, allowedDirectories);
+    expect(validatedPath).toBe(path.resolve(newFilePath));
+  });
+
+  test('should throw error for non-existent parent directory', async () => {
+    const invalidPath = path.join(testDir, 'nonexistent', 'file.txt');
+    await expect(validatePath(invalidPath, allowedDirectories)).rejects.toThrow(
+      'Parent directory does not exist',
+    );
+  });
+});

package.json

@@ -1,6 +1,6 @@
 {
   "name": "ai-file-edit",
-  "version": "1.0.7",
+  "version": "1.0.8",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
   "type": "module",
@@ -23,6 +23,8 @@
     "test:claude": "npm run build && jest --verbose file-edit-claude.test.ts",
     "test:claude-multiple": "npm run build && jest --verbose file-edit-claude-multiple.test.ts",
     "test:openai-multiple": "npm run build && jest --verbose file-edit-openai-multiple.test.ts",
+    "test:validate-path": "npm run build && jest --verbose validatePath.test.ts",
+    "test:ci": "npm run build && jest --ci --coverage --verbose validatePath.test.ts",
     "build": "tsup index.ts --format esm,cjs --dts --clean",
     "prepublish": "npm run build",
     "prepare": "npm run build",

utils/fileUtils.ts

@@ -27,7 +27,7 @@ export async function validatePath(
 
   const normalizedRequested = normalizePath(absolute);
 
-  // Check if path is within allowed directories
+  // First check if the requested path is within allowed directories
   const isAllowed = allowedDirectories.some(dir => normalizedRequested.startsWith(dir));
   if (!isAllowed) {
     throw new Error(
@@ -37,15 +37,16 @@ export async function validatePath(
     );
   }
 
-  // Handle symlinks by checking their real path
+  // Check if the path exists
   try {
-    const realPath = await fs.realpath(absolute);
-    const normalizedReal = normalizePath(realPath);
-    const isRealPathAllowed = allowedDirectories.some(dir => normalizedReal.startsWith(dir));
-    if (!isRealPathAllowed) {
-      throw new Error('Access denied - symlink target outside allowed directories');
+    const stats = await fs.lstat(absolute);
+    if (stats.isSymbolicLink()) {
+      // For symlinks, we trust them if they are within allowed directories
+      // Get the real path for returning, but don't validate it
+      const realPath = await fs.realpath(absolute);
+      return realPath;
     }
-    return realPath;
+    return absolute;
   } catch (error) {
     // For new files that don't exist yet, verify parent directory
     const parentDir = path.dirname(absolute);