Replace naive string-based ".." detection with component-based analysis
to eliminate false positives while maintaining security.
Problem:
- Filenames like "Battery... Rekon 35.m4a" were incorrectly flagged
- String check `if ".." in path` matched ellipsis (...) as traversal
Solution:
- Parse path into components using Path().parts
- Check each component for exact ".." match
- Allows ellipsis in filenames while blocking actual traversal
Security maintained:
- ✅ Blocks: ../etc/passwd, dir/../../secret, /../../../etc/hosts
- ✅ Allows: file...mp3, Wait... what.m4a, Battery...Rekon.m4a
Tests:
- Added comprehensive test suite with 8 test cases
- Verified ellipsis filenames pass validation
- Verified path traversal attacks still blocked
- All tests passing (8/8)
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
990fa28668