fix(editor): stricter path validation for oxc.path.server
#14202
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
github-actions
bot
added
A-editor
How to use the Graphite Merge QueueAdd either label to this PR to merge it via the merge queue:
You must have a Graphite account in order to use the merge queue. Sign up using this link. An organization admin has enabled the Graphite Merge Queue in this repository. Please do not merge from GitHub as this will restart CI on PRs being processed by the merge queue. This stack of pull requests is managed by Graphite. Learn more about stacking. |
Sysix
changed the title
oxc.path.serveroxc.path.server
Sysix
removed
the
C-cleanup
There was a problem hiding this comment.
Pull Request Overview
This PR enhances the path validation logic for the oxc.path.server configuration by implementing stricter validation rules to prevent potential security vulnerabilities. The changes focus on improving the detection of malicious paths and ensuring only legitimate oxc_language_server binaries are accepted.
- Enhanced path traversal detection to include Windows-specific patterns
- Added Windows-specific malicious character patterns (%, ^) to the validation
- Implemented case-insensitive filename validation that only checks the actual filename portion of the path
Reviewed Changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| editors/vscode/client/PathValidator.ts | Updated validation logic with stricter path traversal checks, expanded malicious pattern detection, and improved filename validation |
| editors/vscode/tests/PathValidator.spec.ts | Added comprehensive test coverage for case variations, Windows-specific malicious patterns, and directory traversal edge cases |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
Sysix
force-pushed
the
09-28-refactor_editor_stricter_path_validation_for_oxc.path.server_
branch
from
4217436 to
a462aff
Compare
camc314
approved these changes
Sep 28, 2025
Merge activity
|
graphite-app
bot
force-pushed
the
09-28-refactor_editor_stricter_path_validation_for_oxc.path.server_
branch
from
a462aff to
f8abab2
Compare
graphite-app
bot
deleted the
09-28-refactor_editor_stricter_path_validation_for_oxc.path.server_
branch
taearls
pushed a commit
to taearls/oxc
that referenced
this pull request
Sep 28, 2025
taearls
pushed a commit
to taearls/oxc
that referenced
this pull request
Sep 28, 2025
camc314
added a commit
that referenced
this pull request
Sep 29, 2025
## [1.19.0] - 2025-09-29 ### 🚀 Features - eb6345f linter/unicorn: Implement no-array-callback-reference (#14230) (camc314) - c64fa61 linter: Add `import/no-named-export` rule (#14229) (yefan) - d30159b linter: Fix for unsorted keys (#14225) (Hamir Mahal) - acd1266 linter/plugins: `oxlint` export types (#14163) (overlookmotel) - c0e461f linter: Add `unicorn/no-array-sort` rule (#14117) (Cason Kervis) - 00954de linter/plugins: Remove `--js-plugins` CLI option (#14134) (overlookmotel) - b4d716f linter/plugins: Move custom JS plugin config to `jsPlugins` (#14133) (overlookmotel) - 60f0b3f linter: Add fix for `preserve-caught-error` (#14104) (Cam McHenry) - 2d74c17 linter/no-multiple-resolved: Implement promise rule no-multiple-resolved (#13420) (Li Wei) - 5e05d1b semantic: Put jsdoc behind linter feature, remove runtime flag (#14140) (Boshen) - 71af1aa semantic: Add "linter" feature (#14139) (Boshen) - 1a6d7ae linter: Add `vue/max-props` rule (#14039) (yefan) - 9c3afea linter/plugins: Support fixes (#14094) (overlookmotel) - 1472147 linter: Move `no-unused-expressions` to correctness (#14099) (camchenry) - 8b7c784 linter: Add react/jsx-pascal-case rule (#12165) (Mikhail Baev) - c796966 linter/plugins: Add `meta` property to rules (#14089) (overlookmotel) ### 🐛 Bug Fixes - 39a171e linter: Get cli args on JS side, to avoid runtime inconsistencies (#14223) (camc314) - e045391 linter/plugins: Error on JS plugin with reserved name (#14226) (overlookmotel) - 6005015 linter: Correctly handle CRLF when inserting disable comments in framework files (#14228) (shulaoda) - 37f6b09 linter/plugins: Make `null` a valid value for `meta.fixable` (#14204) (overlookmotel) - 8879b5a linter/plugins: Add types export to `npm/oxlint` (#14219) (overlookmotel) - e37c435 language_server: Correct position for "ignore this rule for this file" in vue/astro/svelte files (#14187) (Sysix) - f8abab2 editor: Stricter path validation for `oxc.path.server` (#14202) (Sysix) - e9a14d1 linter/plugins: Allow `fix` function to return `undefined` (#14182) (overlookmotel) - ee9ecbe linter/plugins: Fix TS type for fixer methods (#14166) (overlookmotel) - 03d1684 linter/plugins: Output warning on first JS plugin load (#14165) (overlookmotel) - 9716f7c linter/plugins: Fix TS types (#14162) (overlookmotel) - d36d227 language_server: Don't lint file on code action when it is already ignored (#13976) (Sysix) - 353bfe7 language_server: Check if tsconfig path is a file before starting the `LintService` (#14126) (Sysix) - fc7026d linter: Add missing `NODE_TYPES`, `cfg_id` method for no-multiple-resolved (#14147) (camc314) - 180c790 linter: Fix false positive in `no-restricted-globals` (#14135) (yefan) - 4a4fce8 linter: Fix cli argument parsing (#14112) (camc314) - 9f3e2bc linter/plugins: Output errors thrown in JS plugins (#14096) (overlookmotel) - 357a2d3 linter: Add support for `tsgolint.exe` on Windows (#14101) (camchenry) - 2604b28 linter: Fix lint errors building `oxlint` (#14095) (overlookmotel) - d8e9cc5 linter/plugins: Validate type of `before` and `after` hooks (#14086) (overlookmotel) ### 🚜 Refactor - 4c3f1ac linter: Move `BUILT_IN_ERRORS` to utils file (#14221) (camc314) - 61ec0a7 linter/plugins: Simplify creation of `context` in `defineRule` ESLint shim (#14206) (overlookmotel) - 7a0eb57 language_server: Refactor ignore code action logic as a linter fix (#14183) (Sysix) - 3b1fe6f linter/plugins: Flatten directory structure of `dist` (#14199) (overlookmotel) - d52cba6 linter: Bump TSDown to latest (#14198) (overlookmotel) - 983dd1b linter/plugins: Add `Fixer` type (#14180) (overlookmotel) - 2f8b076 linter/plugins: Remove dead code (#14178) (overlookmotel) - 497236e semantic: Move AstNode::cfg_id to struct of arrays in AstNodes (#14137) (Boshen) - 5ba765c semantic: Move AstNode::flags to struct of arrays in AstNodes (#14136) (Boshen) - ffc810d linter: `preserve-caught-errors`: rename config and add docs (#14103) (camchenry) - f91db73 linter: Add `CompositeFix::merge_fixes_fallible` method (#14093) (overlookmotel) - e55ffe0 curly: Enhance curly brace rule configuration and handling (#13498) (Antoine Zanardi) - 2fb69fd eslint/eqeqeq: Clean up implementation and improve documentation (#13527) (Antoine Zanardi) - e69cd86 linter/plugins: `loadPluginImpl` return an object (#14087) (overlookmotel) ### 📚 Documentation - b83b1bd language_server: Docs for `Backend` struct (#14172) (Sysix) - 3106ba0 language_server: Docs for `WorkspaceWorker` (#14161) (Sysix) - b19f5bc linter/plugins: Improve JSDoc comments for `definePlugin` and `defineRule` (#14159) (overlookmotel) ### ⚡ Performance - 2575065 linter/plugins: Store if rule is fixable as boolean (#14205) (overlookmotel) - b6d2546 linter: Reduce string cloning in tsgo fixes (#14092) (overlookmotel) - c94c5dc linter: Remove allocation in `CompositeFix::merge_fixes` (#14090) (overlookmotel) ### 🧪 Testing - be58d6d language_server: Fix test for ServerFormatter in windows (#14210) (Sysix) - a9b603e linter/plugins: Convert all plugins in tests to TS (#14200) (overlookmotel) - 6ff3a23 linter/plugins: Add tests for `.ts`, `.mts`, `.cts` plugin files (#14164) (overlookmotel) - 8988d64 linter/plugins: Add line breaks to plugins files (#14181) (overlookmotel) - d7041c1 language_server: Add linebreaks for formatter snapshot (#14173) (Sysix) - 52db331 linter/plugins: Type-check test fixtures (#14158) (overlookmotel) - aca083a linter/plugins: Include stderr output in snapshots (#14155) (overlookmotel) - a3c8f46 linter/plugins: Do not run `pnpm` in tests (#14157) (overlookmotel) - d985aeb editor: Remove cross-module tests, covered by language server (#14156) (Sysix) - 0029b7f linter/plugins: Normalize line breaks in snapshots (#14154) (overlookmotel) - 7f2c101 linter/plugins: Specify path to `node` in tests (#14152) (overlookmotel) - fc14abc linter/plugins: Format test fixtures (#14125) (overlookmotel) - a6f965f linter/plugins: Simplify configs in test fixtures (#14124) (overlookmotel) - b1685f7 linter/plugins: Refactor tests (#14123) (overlookmotel) - 788e495 linter/plugins: Improve ESLint compat tests (#14119) (overlookmotel) - 5750077 linter/plugins: Fix file paths in snapshots (#14115) (overlookmotel) - 5c862f9 linter/plugins: Standardize test fixture structure (#14114) (overlookmotel) Co-authored-by: camc314 <18101008+camc314@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.