Summary
validateDestinationPath in certificateProvider.ts fails to detect path traversal attempts on Windows. The unit test should reject destination path traversal attempts fails because the original regex split does not correctly tokenize Windows backslash-separated paths.
Root Cause
The original check uses destination.split(/[\/]+/) which does not correctly split Windows paths built with path.join and path.sep. On Windows, path.join produces backslash-separated paths. When the resulting string is passed to the regex split, the entire path is returned as a single token, so .. is never found as an isolated segment.
Proposed Fix
Replace destination.split(/[\/]+/) with destination.split(path.sep) so the split is always consistent with the platform path separator.
Test Plan
npm test passes on Windows with the fix appliedshould reject destination path traversal attempts passes
Summary
validateDestinationPathincertificateProvider.tsfails to detect path traversal attempts on Windows. The unit testshould reject destination path traversal attemptsfails because the original regex split does not correctly tokenize Windows backslash-separated paths.Root Cause
The original check uses
destination.split(/[\/]+/)which does not correctly split Windows paths built withpath.joinandpath.sep. On Windows,path.joinproduces backslash-separated paths. When the resulting string is passed to the regex split, the entire path is returned as a single token, so..is never found as an isolated segment.Proposed Fix
Replace
destination.split(/[\/]+/)withdestination.split(path.sep)so the split is always consistent with the platform path separator.Test Plan
npm testpasses on Windows with the fix appliedshould reject destination path traversal attemptspasses