Merge commit from fork

facelessuser · web-flow · commit 63b7835776d7 · 2026-05-13T06:50:35.000-06:00
* Fix directory traversal issue with restrict_base_path Found by @gistrec. * Check for os separator as root could already end properly Though paths like root are not advised, we should handle them in a sane manner. * Documentation tests use strict mode which flags numerous false positives Zensical now supports strict mode, but it will flag links as invalid that are not valid due to it not being knowledgeable about common, non-standard syntax.
diff --git a/docs/src/markdown/about/changelog.md b/docs/src/markdown/about/changelog.md
@@ -3,6 +3,11 @@ icon: lucide/scroll-text
 ---
 # Changelog
 
+## 10.21.3
+
+-   **FIX**: Fix regression that allows a snippet to be loaded outside of the base path using directory traversal when
+    `restrict_base_path` is enabled (the default). Found by @gistrec.
+
 ## 10.21.2
 
 -   **FIX**: Highlight: Latest Pygments versions cannot handle a "filename" for code block titles of `None`.
diff --git a/pymdownx/__meta__.py b/pymdownx/__meta__.py
@@ -193,5 +193,5 @@ def parse_version(ver: str) -> Version:
     return Version(major, minor, micro, release, pre, post, dev)
 
 
-__version_info__ = Version(10, 21, 2, "final")
+__version_info__ = Version(10, 21, 3, "final")
 __version__ = __version_info__._get_canonical()
diff --git a/pymdownx/snippets.py b/pymdownx/snippets.py
@@ -171,7 +171,9 @@ def get_snippet_path(self, path):
                     if self.restrict_base_path:
                         filename = os.path.abspath(os.path.join(base, path))
                         # If the absolute path is no longer under the specified base path, reject the file
-                        if not filename.startswith(base):
+                        # Append `os.sep` so a sibling directory whose name shares a prefix
+                        # (e.g. `/x/docs` vs `/x/docs_evil`) cannot satisfy the check.
+                        if not filename.startswith(base + os.sep if not base.endswith(os.sep) else base):
                             continue
                     else:
                         filename = os.path.join(base, path)
diff --git a/pyproject.toml b/pyproject.toml
@@ -159,7 +159,7 @@ legacy_tox_ini = """
         .[extra]
     commands=
         {envpython} -m pip install .
-        {envpython} -m zensical build -f zensical.yml --clean --strict
+        {envpython} -m zensical build -f zensical.yml --clean
         {envpython} -m pyspelling -j 8
 
     [testenv:lint]
diff --git a/tests/test_extensions/_snippets/nested_b.txt b/tests/test_extensions/_snippets/nested_b.txt
@@ -0,0 +1 @@
+Snippet
diff --git a/tests/test_extensions/test_snippets.py b/tests/test_extensions/test_snippets.py
@@ -730,6 +730,20 @@ def test_restricted(self):
                 True
             )
 
+    def test_restricted_directory_traversal(self):
+        """Test file restriction directory traversal."""
+
+        with self.assertRaises(SnippetMissingError):
+            self.check_markdown(
+                R'''
+                --8<-- "../nested_b.txt"
+                ''',
+                '''
+                <p>Snippet</p>
+                ''',
+                True
+            )
+
 
 class TestSnippetsMultiNested(util.MdCase):
     """Test multi-nested restriction."""
@@ -786,6 +800,19 @@ def test_restricted(self):
             True
         )
 
+    def test_restricted_directory_traversal(self):
+        """Test file restriction directory traversal."""
+
+        self.check_markdown(
+            R'''
+            --8<-- "../nested_b.txt"
+            ''',
+            '''
+            <p>Snippet</p>
+            ''',
+            True
+        )
+
 
 class TestSnippetsAutoAppend(util.MdCase):
     """Test snippet file case."""
