From a717d24c6c39b916b1865a92c82bf07f692188c4 Mon Sep 17 00:00:00 2001
From: biostochastics <sergey@kornilov.bio>
Date: Mon, 2 Feb 2026 00:24:44 -0800
Subject: [PATCH] fix: allow framework route patterns in path validation

The path traversal regex was too broad - r"\.\." blocked any occurrence
of ".." including valid Next.js catch-all routes like [[...slug]].

Changed to r"(?:^|[\\/])\.\.(?:[\\/]|$)" which only matches ".." when
it appears as a standalone path component (actual traversal patterns).

Now correctly:
- Blocks: ../foo, foo/../bar, foo/.., ..\bar
- Allows: [[...slug]], [...slug], foo...bar, file..txt
---
 codeconcat/utils/security.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/codeconcat/utils/security.py b/codeconcat/utils/security.py
index 49f1f23..12a4cfe 100644
--- a/codeconcat/utils/security.py
+++ b/codeconcat/utils/security.py
@@ -42,7 +42,7 @@ class PathValidator:
 
     # Dangerous path patterns
     DANGEROUS_PATTERNS = [
-        r"\.\.",  # Parent directory
+        r"(?:^|[\\/])\.\.(?:[\\/]|$)",  # Parent directory as path component (../foo, foo/.., etc.)
         r"~",  # Home directory
         r"\$",  # Environment variables
         r"%",  # Windows environment variables