24987179571
86%
master: 86%

Ran 27 Apr 2026 09:28AM UTC

Jobs 1

Files 5

Run time 1min

Badge

Embed ▾

Committed 27 Apr 2026 09:14AM UTC coverage: 86.169% (+0.2%) from 85.98%

Build # 24987179571

Build Type

Pull #6

github

Committed by

paskal

Commit Message

Resolve symlinks for path traversal check, drop substring guard

Previously, SafeResolvePath relied on `strings.Contains(path, "..")` plus a
lexical `filepath.Rel` boundary check. The substring check has false
positives on legitimate filenames (`a..b.md`, `....md`), and the Rel check
is purely lexical -- a symlink inside baseDir pointing to `/etc/passwd`
passes both and the file gets read. The existing symlink test was written
permissively and silently masked the bypass.

After this change, the check is split in two: a precise lexical check
catches above-root traversals (`../etc/passwd`) without rejecting filenames
that merely contain `..`, and `filepath.EvalSymlinks` resolves both base
and target so the boundary check sees the real filesystem path. Intra-base
symlinks remain allowed; symlinks escaping baseDir are rejected as
traversal. The symlink test now requires the error.

Resolves #5

Pull Request Pull Request #6: Fix symlink path traversal and false-positive .. filename rejection

Coverage Stats

16 of 22 new or added lines in 1 file covered. (72.73%)

704 of 817 relevant lines covered (86.17%)

24.75 hits per line

Uncovered Changes

Lines	Coverage	∆	File
6	87.5	-7.09%	app/scanner/path.go

Jobs

ID	Job ID	Ran	Files	Coverage
1	24987179571.1	27 Apr 2026 09:28AM UTC	5	86.17	GitHub Action Run

umputun / local-docs-mcp / 24987179571
86%
master: 86%

README BADGES
x

Markdown

Textile

RDoc

HTML

Rst

Uncovered Changes

Jobs

Source Files on build 24987179571

umputun / local-docs-mcp / 24987179571 86% master: 86%

README BADGES x

Markdown

Textile

RDoc

HTML

Rst

Uncovered Changes

Jobs

Source Files on build 24987179571

umputun / local-docs-mcp / 24987179571
86%
master: 86%

README BADGES
x