Skip to content

fix: accept files under Windows drive-root projects (Z:\, C:\)#415

Open
Kamilslaoui93 wants to merge 1 commit into
colbymchenry:mainfrom
Kamilslaoui93:fix/windows-drive-root-path-validation
Open

fix: accept files under Windows drive-root projects (Z:\, C:\)#415
Kamilslaoui93 wants to merge 1 commit into
colbymchenry:mainfrom
Kamilslaoui93:fix/windows-drive-root-path-validation

Conversation

@Kamilslaoui93
Copy link
Copy Markdown

@Kamilslaoui93 Kamilslaoui93 commented May 25, 2026

Summary

codegraph index fails on any project located at a Windows drive root (e.g. C:\, Z:\, or a mapped network drive). Every file is rejected by the path-traversal check, indexing produces zero results, and the log fills with Path traversal blocked in batch reader for every file in the project.

Root cause

path.resolve('Z:\') returns Z:\ — a path that already ends with path.sep. The existing check appended another separator:

resolved.startsWith(normalizedRoot + path.sep)

…producing Z:\ for drive roots. No real file path under the drive root starts with Z:\, so the check fails for every file. For non-root projects (C:\Users\foo\proj) the appended separator is correct and the check works; the bug is specific to roots whose resolved form already terminates with path.sep.

Same bug existed in isPathWithinRoot and isPathWithinRootReal.

Fix

Extract a small ensureTrailingSep() helper that appends path.sep only when missing, and use it at all three call sites in src/utils.ts. Behaviour is unchanged for every non-drive-root project.

Reproduction

PS Z:\> npx @colbymchenry/codegraph index
# ...
[CodeGraph] Path traversal blocked in batch reader { filePath: 'configuration.yaml' }
[CodeGraph] Path traversal blocked in batch reader { filePath: 'automations.yaml' }
# ... repeated for every file, "Indexed 0 files"

With this patch applied locally I get:

Indexed 768 files
20,783 nodes, 20,015 edges in 2m 51s

Tests

Added 4 cases to __tests__/security.test.ts under a new Path-within-root helpers — Windows drive-root regression describe block:

  • Two Windows-gated cases that exercise the drive-root path (Z:\), skipped on POSIX and on Windows runners where Z:\ isn't mounted.
  • Two cross-platform cases asserting that legitimate traversal attempts (../escape.txt) are still rejected — guarding against the obvious failure mode of an over-eager fix.

Full __tests__/security.test.ts passes locally on Windows (41 passed, 2 POSIX-gated skipped).

Test plan

  • npx vitest run __tests__/security.test.ts — 41 passed
  • npx tsc --noEmit — clean
  • End-to-end: npx codegraph index on a project at Z:\ (mapped network drive) — 768 files indexed, 0 path-traversal warnings

fix: accept files under Windows drive-root projects (Z:\, C:\)
e1309c2 
`path.resolve('Z:\')` returns `Z:\` — a path already terminated with
the OS separator. The existing path-within-root check appended another
`path.sep`, producing `Z:\`, which no file under the root could ever
start with. Every file got rejected as a path-traversal attempt, so
`codegraph index` on a project at a drive root (or a mapped network
drive) emitted "Path traversal blocked in batch reader" for every file
and indexed nothing.

Same bug in `isPathWithinRoot` and `isPathWithinRootReal`. Fixed by
extracting an `ensureTrailingSep()` helper that only appends a
separator if one isn't already present.

Regression tests in __tests__/security.test.ts:
- Windows-gated, run only if Z:\ exists on the runner
- Cross-platform traversal-rejection tests still pass (existing
  behavior preserved)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Kamilslaoui93