|
7 | 7 | checkSymlink, |
8 | 8 | isAllowedPath, |
9 | 9 | validatePath, |
| 10 | + validatePathForWrite, |
10 | 11 | } from "./path-security.js"; |
11 | 12 | import { mockFsFunction } from "./test-helpers.js"; |
12 | 13 |
|
@@ -320,3 +321,91 @@ describe("validatePath", () => { |
320 | 321 | } |
321 | 322 | }); |
322 | 323 | }); |
| 324 | + |
| 325 | +describe("validatePathForWrite", () => { |
| 326 | + beforeEach(() => { |
| 327 | + vi.clearAllMocks(); |
| 328 | + }); |
| 329 | + |
| 330 | + it("returns validated path when file exists", async () => { |
| 331 | + realpathMock.mockResolvedValue("/vault/notes/foo.md"); |
| 332 | + const result = await validatePathForWrite("notes/foo.md", EMPTY_OPTS); |
| 333 | + expect(result).toEqual({ ok: true, value: "/vault/notes/foo.md" }); |
| 334 | + }); |
| 335 | + |
| 336 | + it("succeeds for non-existent file in existing directory", async () => { |
| 337 | + const enoent = new Error("ENOENT") as NodeJS.ErrnoException; |
| 338 | + enoent.code = "ENOENT"; |
| 339 | + realpathMock |
| 340 | + .mockRejectedValueOnce(enoent) // /vault/notes/new.md does not exist |
| 341 | + .mockResolvedValueOnce("/vault/notes"); // /vault/notes exists |
| 342 | + const result = await validatePathForWrite("notes/new.md", EMPTY_OPTS); |
| 343 | + expect(result).toEqual({ ok: true, value: "/vault/notes/new.md" }); |
| 344 | + }); |
| 345 | + |
| 346 | + it("succeeds for non-existent nested directories", async () => { |
| 347 | + const enoent = new Error("ENOENT") as NodeJS.ErrnoException; |
| 348 | + enoent.code = "ENOENT"; |
| 349 | + realpathMock |
| 350 | + .mockRejectedValueOnce(enoent) // /vault/a/b/c.md |
| 351 | + .mockRejectedValueOnce(enoent) // /vault/a/b |
| 352 | + .mockRejectedValueOnce(enoent) // /vault/a |
| 353 | + .mockResolvedValueOnce("/vault"); // /vault exists |
| 354 | + const result = await validatePathForWrite("a/b/c.md", EMPTY_OPTS); |
| 355 | + expect(result).toEqual({ ok: true, value: "/vault/a/b/c.md" }); |
| 356 | + }); |
| 357 | + |
| 358 | + it("fails on symlink escape in ancestor", async () => { |
| 359 | + const enoent = new Error("ENOENT") as NodeJS.ErrnoException; |
| 360 | + enoent.code = "ENOENT"; |
| 361 | + realpathMock |
| 362 | + .mockRejectedValueOnce(enoent) // /vault/link/new.md |
| 363 | + .mockResolvedValueOnce("/outside"); // /vault/link resolves outside |
| 364 | + const result = await validatePathForWrite("link/new.md", EMPTY_OPTS); |
| 365 | + expect(result.ok).toBe(false); |
| 366 | + if (!result.ok) { |
| 367 | + expect(result.error.code).toBe("PERMISSION_DENIED"); |
| 368 | + } |
| 369 | + }); |
| 370 | + |
| 371 | + it("fails on path traversal", async () => { |
| 372 | + const result = await validatePathForWrite("../../etc/passwd", EMPTY_OPTS); |
| 373 | + expect(result.ok).toBe(false); |
| 374 | + if (!result.ok) { |
| 375 | + expect(result.error.code).toBe("PERMISSION_DENIED"); |
| 376 | + } |
| 377 | + expect(realpathMock).not.toHaveBeenCalled(); |
| 378 | + }); |
| 379 | + |
| 380 | + it("fails on blocked folder", async () => { |
| 381 | + const result = await validatePathForWrite("private/new.md", { |
| 382 | + ...EMPTY_OPTS, |
| 383 | + blocked: ["private"], |
| 384 | + }); |
| 385 | + expect(result.ok).toBe(false); |
| 386 | + if (!result.ok) { |
| 387 | + expect(result.error.code).toBe("PERMISSION_DENIED"); |
| 388 | + } |
| 389 | + expect(realpathMock).not.toHaveBeenCalled(); |
| 390 | + }); |
| 391 | + |
| 392 | + it("fails on allowed folder violation", async () => { |
| 393 | + const result = await validatePathForWrite("other/new.md", { |
| 394 | + ...EMPTY_OPTS, |
| 395 | + allowed: ["notes"], |
| 396 | + }); |
| 397 | + expect(result.ok).toBe(false); |
| 398 | + if (!result.ok) { |
| 399 | + expect(result.error.code).toBe("PERMISSION_DENIED"); |
| 400 | + } |
| 401 | + expect(realpathMock).not.toHaveBeenCalled(); |
| 402 | + }); |
| 403 | + |
| 404 | + it("returns canonicalized path, not realpath of ancestor", async () => { |
| 405 | + const enoent = new Error("ENOENT") as NodeJS.ErrnoException; |
| 406 | + enoent.code = "ENOENT"; |
| 407 | + realpathMock.mockRejectedValueOnce(enoent).mockResolvedValueOnce("/vault/notes"); |
| 408 | + const result = await validatePathForWrite("notes/new.md", EMPTY_OPTS); |
| 409 | + expect(result).toEqual({ ok: true, value: "/vault/notes/new.md" }); |
| 410 | + }); |
| 411 | +}); |
0 commit comments