feat: honor MARKITDOWN_SAFE_DIRS env var for configurable safe directories#39
Closed
kdjkdjkdj wants to merge 1 commit into
Closed
feat: honor MARKITDOWN_SAFE_DIRS env var for configurable safe directories#39kdjkdjkdj wants to merge 1 commit into
kdjkdjkdj wants to merge 1 commit into
Conversation
…dn#38) The hardcoded safe-directory list (Path.cwd, ~/Documents, ~/Downloads, ~/Desktop, ~/tmp, tempdir, tests/fixtures) is too restrictive for real-world use: OneDrive / SharePoint / Dropbox sync roots, NAS mounts, and project directories on non-system drives are all outside it, and there is no way to add them. Read MARKITDOWN_SAFE_DIRS (os.pathsep separated, so ":" on Unix and ";" on Windows) and append each existing path to the safe-dir list. Non-existent entries are logged at WARNING so typos don't silently disappear. Paths are resolved via Path.resolve() so the existing prefix-based security check continues to work against ".." inputs. Refs: trsdn#38 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Contributor
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.Scanned FilesNone |
trsdn
added a commit
that referenced
this pull request
Jun 10, 2026
## Summary - fix OOXML validation so DOCX/XLSX/PPTX ZIP containers are not sent through XML sanitization - add `MARKITDOWN_SAFE_DIRS` support and make safe-directory initialization robust when home cannot be resolved - make `tools/list` schema compatible with Claude/Anthropic clients and stop responding to JSON-RPC notifications - configure stdio for UTF-8/LF startup behavior and stabilize fragile performance thresholds ## Validation - `python3 -m ruff check .` - `PATH="/Library/Frameworks/Python.framework/Versions/3.12/bin:$PATH" python3 -m pytest -q` Refs #36 Refs #38 Closes #40 ## Acknowledgements Thanks to @kdjkdjkdj for opening #37 and #39 with the Windows/MCP protocol fixes and configurable safe-directory work, and to @pagatino-afk for opening #41 with the Office Open XML corruption fix. Those contributions helped identify and validate the issues consolidated in this PR.
Owner
|
Thanks again @kdjkdjkdj for the MARKITDOWN_SAFE_DIRS work in this PR. We consolidated and merged this via #44, including acknowledgement there, so I'm closing this PR as superseded by #44. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #38.
Adds support for the
MARKITDOWN_SAFE_DIRSenv variable, anos.pathsep-separated list of absolute paths appended to the safe-directory list. Rationale and security notes in #38.Behavior
:on Unix,;on Windows (viaos.pathsep).WARNING, skipped.Path.resolve()so the existing prefix-based safety check continues to handle..inputs correctly.Parallel to #37
This branch is cut from
main(not from the #37 branch) so the PRs are reviewable independently. The only textual overlap with #37 is insideget_safe_working_directories(); once one of the two lands, the other rebases trivially.