Skip to content

feat: add --image-dir config for image download path control#297

Merged
GLips merged 3 commits intomainfrom
refactor/image-download-path-handling
Mar 19, 2026
Merged

feat: add --image-dir config for image download path control#297
GLips merged 3 commits intomainfrom
refactor/image-download-path-handling

Conversation

@GLips
Copy link
Copy Markdown
Owner

@GLips GLips commented Mar 19, 2026
edited
Loading

Summary

  • Adds --image-dir CLI flag / IMAGE_DIR env var to configure where the download tool writes files, defaulting to cwd()
  • The tool description now dynamically includes the configured directory so agents know where to save
  • localPath is resolved relative to imageDir using path.join, which gracefully handles the various path formats LLMs produce (leading slashes, ./ prefixes, etc.)
  • Adds filenameSuffix input validation to match fileName's existing character restrictions
  • Adds a resolved-path check in downloadFigmaImage as a second layer of path validation

Test plan

  • New path validation tests cover: traversal rejection, leading-slash handling, valid relative paths, and filename validation
  • Smoke tested by intentionally breaking each validation and confirming the corresponding test catches it
  • Existing tests unaffected
  • Manual test: start server with --image-dir and verify download tool description includes the path
  • Manual test: verify error message guides agent to use relative paths when given an invalid path

GLips added 3 commits March 19, 2026 11:42
@GLips
refactor: add --image-dir config and harden download path handling
71ea328 
Replace the broken cwd()-based path check with a configurable --image-dir
(IMAGE_DIR env var) that defaults to cwd(). localPath is now resolved
relative to this base directory, and the tool description dynamically
includes the configured path so agents know where to save files.

Also adds filenameSuffix regex validation and a defense-in-depth resolved
path check in downloadFigmaImage to prevent directory traversal regardless
of which parameter is the vector.
@GLips
test: tighten prefix-match assertion to check error message
d048d8c 
The test was only asserting isError, which also passes when the Figma
API call fails for unrelated reasons. Now checks for the specific path
validation error text.
@GLips
fix: use path.join so leading slashes are treated as relative
a08e19f 
LLMs frequently produce paths like "/public/images" when they mean
"public/images". path.resolve treats a leading slash as absolute and
ignores the base directory entirely. Switching to path.join ensures
all paths are resolved relative to imageDir regardless of format.
@GLips GLips merged commit 0417766 into main Mar 19, 2026
1 check passed
@GLips GLips deleted the refactor/image-download-path-handling branch March 19, 2026 20:39
@github-actions github-actions bot mentioned this pull request Mar 19, 2026
Merged
@GLips GLips mentioned this pull request Mar 19, 2026
Closed
medyas pushed a commit to YassineValue/Figma-Context-MCP that referenced this pull request Mar 22, 2026
@YassineValue
fix: apply upstream fixes GLips#289, GLips#297, GLips#298, GLips#301
d7784da 
- Replace sharp (native C++) with jimp (pure JS) for image processing
- Add --image-dir/IMAGE_DIR config for controlling image download path
- Skip jimp processing for SVGs, prevent image-fill collapse in SVG containers
- Handle drive root paths in image directory security check (Windows)
- Add defense-in-depth path check in downloadFigmaImage
- Add filenameSuffix regex validation
compassalessandrolorenz pushed a commit to compassalessandrolorenz/Figma-Context-MCP-AIR that referenced this pull request Mar 25, 2026
@GLips
feat: add --image-dir config for image download path control (GLips#297)
ef569b3 
* refactor: add --image-dir config and harden download path handling

Replace the broken cwd()-based path check with a configurable --image-dir
(IMAGE_DIR env var) that defaults to cwd(). localPath is now resolved
relative to this base directory, and the tool description dynamically
includes the configured path so agents know where to save files.

Also adds filenameSuffix regex validation and a defense-in-depth resolved
path check in downloadFigmaImage to prevent directory traversal regardless
of which parameter is the vector.

* test: tighten prefix-match assertion to check error message

The test was only asserting isError, which also passes when the Figma
API call fails for unrelated reasons. Now checks for the specific path
validation error text.

* fix: use path.join so leading slashes are treated as relative

LLMs frequently produce paths like "/public/images" when they mean
"public/images". path.resolve treats a leading slash as absolute and
ignores the base directory entirely. Switching to path.join ensures
all paths are resolved relative to imageDir regardless of format.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@GLips