Security: path validation bypass via relative paths in write-commands.ts #707
Description
Hey — found this during a code review on our project where we vendor gstack.
File: browse/src/write-commands.ts:303
The path validation does strict boundary checks for absolute paths but falls back to a simple includes('..') for relative paths. That's easy to bypass.
Cleaner approach — always resolve first, then check:
const resolved = path.resolve(filePath);
const safeDirs = [TEMP_DIR, process.cwd()];
if (!safeDirs.some(dir => isPathWithin(resolved, dir))) {
throw new Error("Path must be within: " + safeDirs.join(", "));
}Happy to PR this if you want.