Skip to content

[fix] use platform path separator for windows compatibility#36

Closed
nice-bills wants to merge 2 commits intonumman-ali:mainfrom
nice-bills:fix-windows-security-error
Closed

[fix] use platform path separator for windows compatibility#36
nice-bills wants to merge 2 commits intonumman-ali:mainfrom
nice-bills:fix-windows-security-error

Conversation

@nice-bills
Copy link

@nice-bills nice-bills commented Jan 6, 2026
edited
Loading

fixed issue #34 the "Security error: Installation path outside target directory" seen on Windows during skill installation.

Changes:

  • Replaced hardcoded / with path.sep in src/commands/install.ts security checks.
  • Updated isLocalPath to correctly detect Windows absolute paths (drive letters).
  • Refactored tests to be platform-agnostic, fixing failures on Windows.

Verified with npm test on Windows 11.

@nice-bills
Copy link
Author

nice-bills commented Jan 6, 2026

@claude could you please review this pr?

@numman-ali numman-ali requested a review from Copilot January 6, 2026 21:31
Copilot AI reviewed Jan 6, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes Windows compatibility issues in skill installation by replacing hardcoded Unix path separators with platform-agnostic path handling. The changes resolve the "Security error: Installation path outside target directory" error that occurred on Windows systems.

Key changes:

  • Updated isLocalPath function to detect Windows absolute paths (drive letters like C:\)
  • Replaced hardcoded / with path.sep in security checks across three installation functions
  • Refactored tests to use join() and resolve() for platform-agnostic path handling

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

File Description
src/commands/install.ts Added Windows absolute path detection to isLocalPath regex and replaced hardcoded / with sep in three security check locations
tests/commands/install.test.ts Updated tests to use platform-agnostic path operations with join(), resolve(), and sep, including conditional Windows-specific tests
tests/utils/skills.test.ts Replaced hardcoded path strings with join() calls in skill path assertions
tests/integration/e2e.test.ts Changed non-existent path test to use join() with testTempDir instead of hardcoded Unix path

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

tests/commands/install.test.ts Outdated
it('should allow nested subdirectories', () => {
expect(isPathSafe('/home/user/.claude/skills/category/my-skill', '/home/user/.claude/skills')).toBe(true);
const base = resolve('/home/user/.claude/skills');
expect(isPathSafe(join(base, 'category/my-skill'), base)).toBe(true);
Copy link

Copilot AI Jan 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The path 'category/my-skill' uses a hardcoded forward slash, which is inconsistent with the platform-agnostic approach used elsewhere in this PR. Use join('category', 'my-skill') instead to ensure the test works correctly on Windows.

Suggested change
expect(isPathSafe(join(base, 'category/my-skill'), base)).toBe(true);
expect(isPathSafe(join(base, 'category', 'my-skill'), base)).toBe(true);

Copilot uses AI. Check for mistakes.
@nice-bills nice-bills closed this by deleting the head repository Jan 10, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@nice-bills