Path traversal in runtime file I/O allows escaping port directories

While reviewing runtime I/O paths, I noticed we trust the [name](vscode-file://vscode-app/c:/Users/avina/AppData/Local/Programs/Microsoft%20VS%20Code/resources/app/out/vs/code/electron-browser/workbench/workbench.html) argument when building input/output file paths. Right now that value can include` ../` segments and escape the expected port directory. In practice this means a node can read or overwrite files outside the study workspace if it passes a crafted filename.

This affects local and docker-style runtimes (Java and Python code paths). It’s not just a bad input edge case; it’s a boundary break in core IPC.

Expected behavior,
resolve the final path and reject anything that does not stay under the intended port directory. Same guard should be applied consistently to both [read()](vscode-file://vscode-app/c:/Users/avina/AppData/Local/Programs/Microsoft%20VS%20Code/resources/app/out/vs/code/electron-browser/workbench/workbench.html) and [write()](vscode-file://vscode-app/c:/Users/avina/AppData/Local/Programs/Microsoft%20VS%20Code/resources/app/out/vs/code/electron-browser/workbench/workbench.html) paths.



Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Path traversal in runtime file I/O allows escaping port directories #536

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Path traversal in runtime file I/O allows escaping port directories #536

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions