Skip to content

fix: allow '..' in filenames without triggering traversal check#1

Open
lucbrinkman wants to merge 1 commit intoNo-Instructions:mainfrom
lucbrinkman:fix/sanitize-path-dotdot-in-filenames
Open

fix: allow '..' in filenames without triggering traversal check#1
lucbrinkman wants to merge 1 commit intoNo-Instructions:mainfrom
lucbrinkman:fix/sanitize-path-dotdot-in-filenames

Conversation

@lucbrinkman
Copy link

@lucbrinkman lucbrinkman commented Mar 7, 2026

Summary

  • The _sanitize_path substring check if ".." in path is too broad — it rejects filenames containing ellipsis (e.g., "If It's Valuable and Can Be Done....md")
  • Changed to check for ".." as a path component only (any(part == ".." for part in path.split("/")))
  • This still blocks actual traversal attempts like ../etc/passwd while allowing dots in filenames
  • The existing abspath + startswith normalization check below provides an additional safety net

Test plan

  • Existing traversal tests still pass (43/43)
  • Added test for filenames containing ellipsis
  • Removed false-positive test that expected ..\\evil.txt to be rejected (on Linux \ is a valid filename char, not a path separator)

🤖 Generated with Claude Code

@lucbrinkman @claude
fix: allow '..' in filenames without triggering traversal check
01c738b 
The substring check `if ".." in path` was too broad — it rejected
filenames containing ellipsis (e.g., "If It's Valuable....md").
Changed to check for ".." as a path component only, which still
blocks actual traversal attempts like "../etc/passwd" while allowing
dots in filenames. The existing abspath normalization check provides
an additional safety net.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@lucbrinkman