lidf
69dd868e2f
- 独立 pyproject.toml(pip install -e .) - vendor_hermes.sh 已改为显式路径模式(不再依赖相对目录) - 包含 hermes vendor 快照
44 lines
1.3 KiB
Python
44 lines
1.3 KiB
Python
"""Shared path validation helpers for tool implementations.
|
|
|
|
Extracts the ``resolve() + relative_to()`` and ``..`` traversal check
|
|
patterns previously duplicated across skill_manager_tool, skills_tool,
|
|
skills_hub, cronjob_tools, and credential_files.
|
|
"""
|
|
|
|
import logging
|
|
from pathlib import Path
|
|
from typing import Optional
|
|
|
|
logger = logging.getLogger(__name__)
|
|
|
|
|
|
def validate_within_dir(path: Path, root: Path) -> Optional[str]:
|
|
"""Ensure *path* resolves to a location within *root*.
|
|
|
|
Returns an error message string if validation fails, or ``None`` if the
|
|
path is safe. Uses ``Path.resolve()`` to follow symlinks and normalize
|
|
``..`` components.
|
|
|
|
Usage::
|
|
|
|
error = validate_within_dir(user_path, allowed_root)
|
|
if error:
|
|
return json.dumps({"error": error})
|
|
"""
|
|
try:
|
|
resolved = path.resolve()
|
|
root_resolved = root.resolve()
|
|
resolved.relative_to(root_resolved)
|
|
except (ValueError, OSError) as exc:
|
|
return f"Path escapes allowed directory: {exc}"
|
|
return None
|
|
|
|
|
|
def has_traversal_component(path_str: str) -> bool:
|
|
"""Return True if *path_str* contains ``..`` traversal components.
|
|
|
|
Quick check for obvious traversal attempts before doing full resolution.
|
|
"""
|
|
parts = Path(path_str).parts
|
|
return ".." in parts
|