From 813dfaf375908a7cdca8990f84ff906daeb34542 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?L=C3=AA=20Qu=E1=BB=91c=20V=C6=B0=C6=A1ng?=
 <lequocvuong@MacBook-Pro-cua-Le.local>
Date: Fri, 24 Apr 2026 08:53:45 +0700
Subject: [PATCH] fix: prevent path traversal in save_text_file

---
 helpers/file_browser.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/helpers/file_browser.py b/helpers/file_browser.py
index 4f58d4c2e..ec94da4f5 100644
--- a/helpers/file_browser.py
+++ b/helpers/file_browser.py
@@ -169,7 +169,7 @@ class FileBrowser:
                 raise ValueError("File exceeds 1 MB and cannot be edited")
 
             full_path = (self.base_dir / file_path).resolve()
-            if not str(full_path).startswith(str(self.base_dir)):
+            if not full_path.is_relative_to(self.base_dir.resolve()):
                 raise ValueError("Invalid path")
             if full_path.exists() and full_path.is_dir():
                 raise ValueError("Target is a directory")