Bug: Unwanted Folder Creation When search Receives Non-Existent Path

[DaveW001]

Osgrep Bug Report Draft: Unwanted Folder Creation When search Receives Non-Existent Path

Summary

When running osgrep search with an exec_path argument that does not exist (and especially when that argument is a non-path string such as a query, title, or error message), osgrep creates a new directory at that path and scaffolds a new .osgrep/ workspace inside it.

In real usage (e.g., via an MCP integration), if the integration mistakenly passes the query string as the optional path argument, osgrep can pollute the repository root by creating folders named after queries or error messages (e.g., checklist/, Invalid path format/).

Environment

• OS: Windows (win32)
• osgrep version: 0.5.16 (osgrep --version)
• Install: global npm install (%APPDATA%\npm\node_modules\osgrep)
• Upstream repo: https://github.com/Ryandonofrio3/osgrep

Expected Behavior

• If exec_path is invalid / does not exist, osgrep should either:
  • treat it as a filter and resolve relative to the actual project root without creating anything, or
  • error/warn that the path is invalid.
• osgrep should never create a new project directory and .osgrep/ workspace solely due to a user-supplied argument that is not a real project path.

Actual Behavior

• A non-existent exec_path causes osgrep to create <exec_path>/.osgrep/cache and <exec_path>/.osgrep/lancedb.
• This happens because ensureProjectPaths() calls fs.mkdirSync(..., { recursive: true }) for .osgrep paths even if the resolved root directory does not exist and is not a git repo.

Minimal Reproduction

1. Create a clean test directory:

mkdir C:\temp\osgrep-repro
cd C:\temp\osgrep-repro
git init
echo "hello" > README.md

2. Ensure the target folder does not exist:

if (Test-Path .\checklist) { Remove-Item -Recurse -Force .\checklist }

3. Run osgrep search with a bogus relative exec_path:

osgrep "dummy query" "checklist" -m 1

4. Observe that osgrep created a new directory tree:

Get-ChildItem -Force .\checklist -Recurse

Expected: .\checklist remains absent.
Actual: .\checklist\.osgrep\cache\ and .\checklist\.osgrep\lancedb\ are created.

Notes:

• The exec_path argument can be any string, including one with spaces, e.g. "interview summary".
• Real-world symptom: repo root gets folders named like search queries or error messages.

Root Cause (Code)

File:

• dist/lib/utils/project-root.js

Problematic behavior:

• findProjectRoot() currently treats the provided startDir as the project root without validating that it is a real project (git repo) or that it even exists.
• ensureProjectPaths() then unconditionally scaffolds .osgrep/ by calling fs.mkdirSync(dir, { recursive: true }).

This combination makes it easy for any caller bug (passing the wrong string as a path) to create arbitrary directories.

Proposed Fix

1. Make findProjectRoot() walk upward to find a real project marker (.git or existing .osgrep) rather than using the current directory as an implicit root.

2. Add a hard guard in ensureProjectPaths() so it ONLY creates directories when:

• root exists and is a directory, AND
• root is a git repo (.git) OR already has .osgrep.

If those conditions are not met, ensureProjectPaths() should return paths but skip scaffolding, or return an error that the path is invalid.

Why This Matters

• Prevents repository pollution (folders named after queries/errors)
• Prevents accidental directory creation from integrations that pass incorrect arguments
• Reduces unexpected side effects in CLI and MCP contexts

Workaround

Until fixed upstream: validate exec_path exists before calling osgrep, and avoid passing query/error text as the exec_path argument.