From 3ff01ca48b3ffac34ba4aed9b2cea6eb89afc28e Mon Sep 17 00:00:00 2001
From: Niels Kaspers <kaspersniels@gmail.com>
Date: Mon, 16 Mar 2026 09:13:16 +0200
Subject: [PATCH] fix(filesystem): normalize UNC paths in access check

Use normalizePath() from path-utils instead of raw path.resolve(path.normalize())
in isPathWithinAllowedDirectories(). The normalizePath function has explicit UNC
path handling that preserves the \\ prefix, whereas path.resolve can mangle UNC
paths on Windows, causing subdirectory access checks to fail even when the parent
UNC share is in the allowed directories list.

Fixes #3527
---
 src/filesystem/path-validation.ts | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/src/filesystem/path-validation.ts b/src/filesystem/path-validation.ts
index 972e9c49d0..cad086c258 100644
--- a/src/filesystem/path-validation.ts
+++ b/src/filesystem/path-validation.ts
@@ -1,4 +1,5 @@
 import path from 'path';
+import { normalizePath } from './path-utils.js';
 
 /**
  * Checks if an absolute path is within any of the allowed directories.
@@ -24,10 +25,10 @@ export function isPathWithinAllowedDirectories(absolutePath: string, allowedDire
     return false;
   }
 
-  // Normalize the input path
+  // Normalize the input path using normalizePath to correctly handle UNC paths
   let normalizedPath: string;
   try {
-    normalizedPath = path.resolve(path.normalize(absolutePath));
+    normalizedPath = normalizePath(path.resolve(normalizePath(absolutePath)));
   } catch {
     return false;
   }
@@ -48,10 +49,10 @@ export function isPathWithinAllowedDirectories(absolutePath: string, allowedDire
       return false;
     }
 
-    // Normalize the allowed directory
+    // Normalize the allowed directory using normalizePath to correctly handle UNC paths
     let normalizedDir: string;
     try {
-      normalizedDir = path.resolve(path.normalize(dir));
+      normalizedDir = normalizePath(path.resolve(normalizePath(dir)));
     } catch {
       return false;
     }