Coverage for src / lilbee / security.py: 100%
8 statements
« prev ^ index » next coverage.py v7.13.4, created at 2026-04-29 19:16 +0000
1"""Security helpers — path validation, input sanitization."""
3from __future__ import annotations
5from pathlib import Path
8def validate_path_within(path: str | Path, root: Path) -> Path:
9 """Resolve *path* and verify it stays within *root*.
10 Raises ``ValueError`` if the resolved path escapes the root directory.
11 Returns the resolved path on success.
12 """
13 resolved = Path(path).resolve()
14 root_resolved = root.resolve()
15 if not resolved.is_relative_to(root_resolved):
16 raise ValueError(f"Path escapes allowed directory: {path}")
17 return resolved