Skip to content

[Repo Assist] fix: guard findFiles against out-of-boundary directory paths#138

Draft
github-actions[bot] wants to merge 1 commit intomasterfrom
repo-assist/improve-getstandard-cross-drive-path-guard-b0bf95c2657982fd
Draft

[Repo Assist] fix: guard findFiles against out-of-boundary directory paths#138
github-actions[bot] wants to merge 1 commit intomasterfrom
repo-assist/improve-getstandard-cross-drive-path-guard-b0bf95c2657982fd

Conversation

@github-actions
Copy link
Copy Markdown
Contributor

@github-actions github-actions bot commented Apr 8, 2026

🤖 This is an automated draft PR from Repo Assist.

Problem

findFiles() in lib/utils.js contains a subtle bug that only manifests when path.relative(workspaceRoot, fileDir) returns an absolute path rather than a relative one.

On Windows, path.relative between two paths on different drives returns an absolute path (e.g. path.relative("C:\\ws", "D:\\other")"D:\\other"). When this is passed to findFiles, path.resolve(parent, directory) treats it as absolute and ignores parent entirely. The loop then walks up from D:\other all the way to D:\ — the loop's parent === currentDir stop condition is never satisfied because parent is on C:\.

The same issue can occur on Unix if directory happens to be an absolute path for any other reason.

Fix

Add an early-exit guard at the start of findFiles: if the resolved starting directory is not within parent (i.e. not equal to parent and not a descendant of parent), return null immediately.

Also, use the pre-resolved resolvedParent instead of the raw parent string in the loop's stop condition, to be consistent and correct regardless of whether parent was passed with a trailing separator.

// New guard (added before the walk loop)
if (resolvedStart !== resolvedParent &&
    !resolvedStart.startsWith(resolvedParent + path.sep)) {
    return null;
}
```

## Test Status

New test added to `test/unit.test.js`:

```
 findFiles (8/8 passing) 
  including:
   returns null when directory is outside parent (simulated cross-drive path)

node --check lib/utils.js: OK
node --check extension.js: OK

No CI workflow exists in this repository; all checks are manual.

Impact

  • Zero behaviour change for the common case (all paths on the same drive / filesystem)
  • Prevents unbounded upward walks on Windows multi-drive setups
  • Makes the stop condition more robust by comparing resolved paths throughout

Generated by Repo Assist ·

To install this agentic workflow, run

gh aw add githubnext/agentics/workflows/repo-assist.md@346204513ecfa08b81566450d7d599556807389f

@github-actions
fix: guard findFiles against out-of-boundary directory paths
b178e4d 
When path.relative(workspaceRoot, fileDir) produces an absolute path
(e.g. on Windows when the document and workspace root are on different
drives), path.resolve(parent, directory) returns the absolute directory
unchanged. The subsequent upward walk then escapes the workspace
boundary, potentially scanning up to the filesystem root.

This commit adds an early-exit guard: if the resolved start path is not
within parent, findFiles returns null immediately. It also uses the
pre-resolved parent path in the loop's stop condition for consistency.

A regression test covering the out-of-boundary case is included.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@github-actions github-actions bot mentioned this pull request Apr 9, 2026
Open
66 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

automation repo-assist

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants