feat: Enhanced security with whitelist-based path validation

- Add comprehensive path traversal protection
- Block absolute path access outside project directories
- Prevent symbolic link escapes
- Add detailed security violation logging
- Update documentation with security features
- Release v1.0.5 with enhanced security

Author: mineclover

README.md

@@ -10,12 +10,17 @@ A powerful command-line interface for opening local files via custom URL scheme
 - 🔗 **Custom URL Protocol**: Register `fileopener://` scheme with your operating system
 - 📁 **Project Aliases**: Map project names to local directory paths
 - 🖥️ **Cross-Platform**: Works on macOS, Windows, and Linux
-- 🔒 **Security**: Built-in path traversal protection
+- 🔒 **Enhanced Security**: Whitelist-based path validation with protection against:
+  - Path traversal attacks (`../`, `~/`)
+  - Absolute path access outside project directories
+  - Symbolic link escapes
+  - Directory traversal bypass attempts
 - 🔄 **Dual URL Formats**: Supports both modern and legacy URL formats
 - ⚙️ **Configuration Management**: Easy project setup and management
 - 🛡️ **Error Handling**: Comprehensive error messages and validation
 - 🎯 **Config URL Support**: Access configuration via `fileopener://config`
 - 🔧 **ES Module Support**: Built with modern JavaScript (ES modules)
+- 🧹 **Memory Leak Prevention**: Automatic process cleanup after file operations
 - 🌐 **Web Integration**: Compatible with [fileopener-redirect-worker](https://github.com/mineclover/fileopener-redirect-worker) for HTTP-to-protocol redirection
 
 ## 🚀 Quick Start
@@ -349,13 +354,34 @@ fileopener://myproject/my%20file%20with%20spaces.txt
 
 ## 🔒 Security Features
 
-### Path Traversal Protection
-The tool prevents access to files outside the configured project directories:
+### Enhanced Whitelist-Based Security
+The tool implements comprehensive security measures to prevent unauthorized file access:
 
+#### Path Traversal Protection
 ```bash
 # ❌ These will be blocked:
 fopen open "fileopener://myproject/../../../etc/passwd"
-fopen open "fileopener://myproject/../../sensitive-file.txt"
+fopen open "fileopener://myproject?path=../sensitive-file.txt"
+fopen open "fileopener://myproject?path=~/Documents/private.txt"
+```
+
+#### Absolute Path Protection
+```bash
+# ❌ These will be blocked:
+fopen open "fileopener://myproject?path=/etc/passwd"
+fopen open "fileopener://myproject?path=/Users/otheruser/private.txt"
+```
+
+#### Symbolic Link Protection
+The tool resolves symbolic links and ensures they don't escape the project directory boundaries.
+
+#### Security Violation Messages
+When security violations are detected, the tool provides clear error messages:
+```
+Security violation: Path traversal attempt detected
+Access denied: Security policy violation
+Attempted access to: ../etc/passwd
+Allowed project path: /path/to/project
 ```
 
 ### File Validation

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@context-action/fopen-cli",
-  "version": "1.0.0",
+  "version": "1.0.5",
   "packageManager": "pnpm@10.14.0",
   "type": "module",
   "license": "MIT",

src/bin-simple.js

@@ -180,6 +180,54 @@ function openFile(filePath) {
   }, 5000) // 5 second timeout
 }
 
+// Security validation functions
+function validateFilePath(filePath, projectPath) {
+  // Check for path traversal attempts
+  if (filePath.includes('..') || filePath.includes('~')) {
+    console.log("Security violation: Path traversal attempt detected")
+    return false
+  }
+
+  // Check for absolute paths (should be relative to project)
+  if (path.isAbsolute(filePath)) {
+    console.log("Security violation: Absolute path not allowed")
+    return false
+  }
+
+  // Normalize the path to prevent various bypass attempts
+  const normalizedPath = path.normalize(filePath)
+  
+  // Check for any remaining traversal attempts after normalization
+  if (normalizedPath.includes('..')) {
+    console.log("Security violation: Path traversal detected after normalization")
+    return false
+  }
+
+  // Resolve full file path
+  const fullPath = path.resolve(path.join(projectPath, normalizedPath))
+  const normalizedProjectPath = path.resolve(projectPath)
+
+  // Ensure the resolved path is within the project directory
+  if (!fullPath.startsWith(normalizedProjectPath)) {
+    console.log("Security violation: Path outside project directory")
+    return false
+  }
+
+  // Check for symbolic links that might escape the project directory
+  try {
+    const realPath = fs.realpathSync(fullPath)
+    if (!realPath.startsWith(normalizedProjectPath)) {
+      console.log("Security violation: Symbolic link escapes project directory")
+      return false
+    }
+  } catch (error) {
+    // If realpathSync fails, the file might not exist yet, but we'll check later
+    // This is not a security violation by itself
+  }
+
+  return true
+}
+
 // Parse URL and open file
 function handleUrl(url) {
   console.log(`Processing URL: ${url}`)
@@ -223,7 +271,7 @@ function handleUrl(url) {
 
     console.log(`Project: ${project}, File: ${filePath}`)
 
-    // Get project path from config
+    // Get project path from config (whitelist check)
     const config = getConfig()
     const projectPath = config.projects[project]
 
@@ -236,13 +284,21 @@ function handleUrl(url) {
       return
     }
 
-    // Resolve full file path
-    const fullPath = path.resolve(path.join(projectPath, filePath))
+    // Security validation: whitelist-based path checking
+    if (!validateFilePath(filePath, projectPath)) {
+      console.log("Access denied: Security policy violation")
+      console.log(`Attempted access to: ${filePath}`)
+      console.log(`Allowed project path: ${projectPath}`)
+      return
+    }
+
+    // Resolve full file path (after validation)
+    const fullPath = path.resolve(path.join(projectPath, path.normalize(filePath)))
 
-    // Security check: ensure the resolved path is within the project directory
+    // Final security check: ensure the resolved path is within the project directory
     const normalizedProjectPath = path.resolve(projectPath)
     if (!fullPath.startsWith(normalizedProjectPath)) {
-      console.log("Path traversal detected - access denied for security reasons")
+      console.log("Security violation: Final path validation failed")
       return
     }