fix(security): allow Firefox ..files directories in path validation

Fixes #263 - Change regex from \.\. to (^|/)\.\.(/|$) to only match path components - Firefox uses ..files suffix in IndexedDB dirs (e.g., name..files) - Still blocks actual traversal: /tmp/../etc - Added test cases for Firefox compatibility - All 16 tests passing
2026-02-04 16:49:41 +00:00 · 2026-01-06 09:51:34 +08:00
parent 3ef44efcf9
commit d3f1cdd834
3 changed files with 24 additions and 2 deletions
--- a/lib/core/file_ops.sh
+++ b/lib/core/file_ops.sh
@@ -46,7 +46,9 @@ validate_path_for_deletion() {
    fi

    # Check for path traversal attempts
-    if [[ "$path" =~ \.\. ]]; then
+    # Only reject .. when it appears as a complete path component (/../ or /.. or ../)
+    # This allows legitimate directory names containing .. (e.g., Firefox's "name..files")
+    if [[ "$path" =~ (^|/)\.\.(\/|$) ]]; then
        log_error "Path validation failed: path traversal not allowed: $path"
        return 1
    fi