You are now the owner of this repo.

umputun / local-docs-mcp
86%
master: 86%

Repo Added 23 Oct 2025 05:11PM UTC

Token UDy3zpjkBsfbd0FTXIejhwHLS5jym3Xyq regen

Build 31 Last

Files 5

Badge

Embed ▾

LAST BUILD ON BRANCH fix/path-symlink-traversal
branch: SELECT

CHANGE BRANCH
x

Sync Branches

No branch selected

ci/workflow-hardening

dependabot/go_modules/github.com/modelcontextprotocol/go-sdk-1.4.1

fix/path-symlink-traversal

master

refs/tags/v0.1.0

refs/tags/v0.2.0

Committed 27 Apr 2026 09:14AM UTC coverage: 86.169% (+0.2%) from 85.98%

Build # 24987179571

Build Type

Pull #6

github

Committed by

paskal

Commit Message

Resolve symlinks for path traversal check, drop substring guard

Previously, SafeResolvePath relied on `strings.Contains(path, "..")` plus a
lexical `filepath.Rel` boundary check. The substring check has false
positives on legitimate filenames (`a..b.md`, `....md`), and the Rel check
is purely lexical -- a symlink inside baseDir pointing to `/etc/passwd`
passes both and the file gets read. The existing symlink test was written
permissively and silently masked the bypass.

After this change, the check is split in two: a precise lexical check
catches above-root traversals (`../etc/passwd`) without rejecting filenames
that merely contain `..`, and `filepath.EvalSymlinks` resolves both base
and target so the boundary check sees the real filesystem path. Intra-base
symlinks remain allowed; symlinks escaping baseDir are rejected as
traversal. The symlink test now requires the error.

Resolves #5

Pull Request Pull Request #6: Fix symlink path traversal and false-positive .. filename rejection

Coverage Stats

16 of 22 new or added lines in 1 file covered. (72.73%)

704 of 817 relevant lines covered (86.17%)

24.75 hits per line

Relevant lines Covered

817 RELEVANT LINES 704 COVERED LINES

24.75 HITS PER LINE

Source Files on master

Recent builds

Builds	Branch	Commit	Type	Ran	Committer	Via	Coverage
24987179571	fix/path-symlink-traversal	Resolve symlinks for path traversal check, drop substring guard Previously, SafeResolvePath relied on `strings.Contains(path, "..")` plus a lexical `filepath.Rel` boundary check. The substring check has false positives on legitimate filenames (`a...	Pull #6	27 Apr 2026 09:28AM UTC	paskal	github	86.17
24546230892	master	Merge pull request #4 from umputun/dependabot/go_modules/github.com/modelcontextprotocol/go-sdk-1.4.1 chore(deps): bump github.com/modelcontextprotocol/go-sdk from 1.1.0 to 1.4.1	push	17 Apr 2026 03:32AM UTC	web-flow	github	85.98
23295459580	dependabot/go_modules/github.com/modelcontextprotocol/go-sdk-1.4.1	chore(deps): bump github.com/modelcontextprotocol/go-sdk Bumps [github.com/modelcontextprotocol/go-sdk](https://github.com/modelcontextprotocol/go-sdk) from 1.1.0 to 1.4.1. - [Release notes](https://github.com/modelcontextprotocol/go-sdk/releases...	Pull #4	19 Mar 2026 12:46PM UTC	web-flow	github	pending completion
23131172233	master	Merge pull request #3 from paskal/ci/workflow-hardening ci: harden workflows, upgrade actions, fix caching	push	16 Mar 2026 06:38AM UTC	web-flow	github	86.48
22810694237	ci/workflow-hardening	ci: add fetch-depth: 0 for goreleaser goreleaser needs full git history for changelog generation and tag resolution. See https://goreleaser.com/ci/actions/	Pull #3	08 Mar 2026 12:48AM UTC	paskal	github	85.73
22808132034	ci/workflow-hardening	ci: add fetch-depth: 0 for goreleaser goreleaser needs full git history for changelog generation and tag resolution. See https://goreleaser.com/ci/actions/	Pull #3	07 Mar 2026 10:01PM UTC	paskal	github	86.23
22805698047	ci/workflow-hardening	ci: harden workflows, upgrade actions, fix caching	Pull #3	07 Mar 2026 07:30PM UTC	paskal	github	85.98
21639785618	master	fix(brew): add directory field to publish formula to Formula/ Related to umputun/homebrew-apps#1	push	03 Feb 2026 05:06PM UTC	umputun	github	86.23
19400152232	master	chore: improve project health with deps, docs, and test coverage update dependencies to latest versions including MCP SDK v1.1.0 and golang.org/x packages. remove CONTRIBUTING.md and fix broken documentation references in CLAUDE.md. add comprehen...	push	16 Nov 2025 04:11AM UTC	umputun	github	85.73
19325528980	refs/tags/v0.2.0	feat(scanner): add yaml frontmatter support for markdown files implement optional yaml frontmatter parsing with description and tags fields. frontmatter enhances search with score boosting (+0.5 description, +0.3 exact tag, +0.15 partial tag, cap...	push	13 Nov 2025 08:40AM UTC	umputun	github	85.36

See All Builds (30)

Badge your Repo: local-docs-mcp

We detected this repo isn’t badged! Grab the embed code to the right, add it to your repo to show off your code coverage, and when the badge is live hit the refresh button to remove this message.

Embed ▾

Refresh

umputun / local-docs-mcp
86%
master: 86%

README BADGES
x

Markdown

Textile

RDoc

HTML

Rst