ui Architecture Docs
Home / Function/ isSafeTarget() — ui Function Reference

isSafeTarget() — ui Function Reference

Architecture documentation for the isSafeTarget() function in is-safe-target.ts from the ui codebase.

Function typescript FrameworkTooling CLICore

Entity Profile

Dependency Diagram

graph TD
  c9c09f41_8300_8c29_1c8d_e7e4c7dfe4ec["isSafeTarget()"]
  22d57e3f_c7a1_875c_b20f_1abd5aa38b48["is-safe-target.ts"]
  c9c09f41_8300_8c29_1c8d_e7e4c7dfe4ec -->|defined in| 22d57e3f_c7a1_875c_b20f_1abd5aa38b48
  style c9c09f41_8300_8c29_1c8d_e7e4c7dfe4ec fill:#6366f1,stroke:#818cf8,color:#fff

Relationship Graph

Source Code

packages/shadcn/src/utils/is-safe-target.ts lines 3–98

export function isSafeTarget(targetPath: string, cwd: string): boolean {
  // Check for null bytes which can be used to bypass validations.
  if (targetPath.includes("\0")) {
    return false
  }

  // Decode URL-encoded sequences to catch encoded traversal attempts.
  let decodedPath: string
  try {
    // Decode multiple times to catch double-encoded sequences.
    decodedPath = targetPath
    let prevPath = ""
    while (decodedPath !== prevPath && decodedPath.includes("%")) {
      prevPath = decodedPath
      decodedPath = decodeURIComponent(decodedPath)
    }
  } catch {
    // If decoding fails, treat as unsafe.
    return false
  }

  // Normalize both paths to handle different path separators.
  // Convert Windows backslashes to forward slashes for consistent handling.
  const normalizedTarget = path.normalize(decodedPath.replace(/\\/g, "/"))
  const normalizedRoot = path.normalize(cwd)

  // Check for explicit path traversal sequences in both encoded and decoded forms.
  // Allow [...] pattern which is common in framework routing (e.g., [...slug])
  const hasPathTraversal = (path: string) => {
    // Remove [...] patterns before checking for ..
    const withoutBrackets = path.replace(/\[\.\.\..*?\]/g, "")
    return withoutBrackets.includes("..")
  }

  if (
    hasPathTraversal(normalizedTarget) ||
    hasPathTraversal(decodedPath) ||
    hasPathTraversal(targetPath)
  ) {
    return false
  }

  // Check for current directory references that might be used in traversal.
  // First, remove [...] patterns to avoid false positives
  const cleanPath = (path: string) => path.replace(/\[\.\.\..*?\]/g, "")
  const cleanTarget = cleanPath(targetPath)
  const cleanDecoded = cleanPath(decodedPath)

  const suspiciousPatterns = [
    /\.\.[\/\\]/, // ../ or ..\
    /[\/\\]\.\./, // /.. or \..
    /\.\./, // .. anywhere
    /\.\.%/, // URL encoded traversal
    /\x00/, // null byte
    /[\x01-\x1f]/, // control characters
  ]

  if (
    suspiciousPatterns.some(
      (pattern) => pattern.test(cleanTarget) || pattern.test(cleanDecoded)
    )
  ) {
    return false
  }

  // Allow ~/ at the start (home directory expansion within project) but reject ~/../ patterns.
  if (
    (targetPath.includes("~") || decodedPath.includes("~")) &&
    (targetPath.includes("../") || decodedPath.includes("../"))
  ) {
    return false
  }

  // Check for Windows drive letters (even on non-Windows systems for safety).
  const driveLetterRegex = /^[a-zA-Z]:[\/\\]/
  if (driveLetterRegex.test(decodedPath)) {
    // On Windows, check if it starts with the project root.
    if (process.platform === "win32") {
      return decodedPath.toLowerCase().startsWith(cwd.toLowerCase())
    }
    // On non-Windows systems, reject all Windows absolute paths.

Domain

Subdomains

Defined In

Source

Frequently Asked Questions

What does isSafeTarget() do?
isSafeTarget() is a function in the ui codebase, defined in packages/shadcn/src/utils/is-safe-target.ts.
Where is isSafeTarget() defined?
isSafeTarget() is defined in packages/shadcn/src/utils/is-safe-target.ts at line 3.

Analyze Your Own Codebase

Get architecture documentation, dependency graphs, and domain analysis for your codebase in minutes.

Try Supermodel Free