Skip to content

fix(scaffold-mcp): restrict write-to-file to workspace#89

Merged
vuongngo merged 2 commits intomainfrom
fix/issue-88-scaffold-write-boundary
Apr 14, 2026
Merged

fix(scaffold-mcp): restrict write-to-file to workspace#89
vuongngo merged 2 commits intomainfrom
fix/issue-88-scaffold-write-boundary

Conversation

@vuongngo
Copy link
Copy Markdown
Contributor

@vuongngo vuongngo commented Apr 14, 2026

Summary

  • restrict \ targets to paths inside the current workspace
  • reject absolute-path and relative-traversal escapes before creating directories or writing files
  • add regression tests covering allowed in-workspace writes and blocked escape attempts

Testing

  • pnpm --filter @agiflowai/scaffold-mcp test -- --run tests/tools/WriteToFileTool.test.ts
  • pnpm --filter @agiflowai/scaffold-mcp typecheck
  • git commit hook: nx run-many -t test

Closes #88

@vuongngo vuongngo merged commit c4d2359 into main Apr 14, 2026
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Arbitrary File Write Vulnerability in write-to-file of @agiflowai/scaffold-mcp

1 participant

@vuongngo