{"id":47923752,"url":"https://github.com/nullean/scoped-filesystem","last_synced_at":"2026-04-20T14:01:30.354Z","repository":{"id":348054067,"uuid":"1196104014","full_name":"nullean/scoped-filesystem","owner":"nullean","description":"System.IO.Abstractions IFileSystem implementation that limits filesystem access to particular folders. ","archived":false,"fork":false,"pushed_at":"2026-04-01T06:54:44.000Z","size":109,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-04-06T08:29:48.264Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"C#","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/nullean.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-03-30T11:27:36.000Z","updated_at":"2026-04-01T06:54:22.000Z","dependencies_parsed_at":"2026-04-05T07:00:29.592Z","dependency_job_id":null,"html_url":"https://github.com/nullean/scoped-filesystem","commit_stats":null,"previous_names":["nullean/scoped-filesystem"],"tags_count":3,"template":false,"template_full_name":null,"purl":"pkg:github/nullean/scoped-filesystem","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nullean%2Fscoped-filesystem","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nullean%2Fscoped-filesystem/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nullean%2Fscoped-filesystem/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nullean%2Fscoped-filesystem/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/nullean","download_url":"https://codeload.github.com/nullean/scoped-filesystem/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nullean%2Fscoped-filesystem/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32050451,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-20T11:35:06.609Z","status":"ssl_error","status_checked_at":"2026-04-20T11:34:48.899Z","response_time":94,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-04-04T06:22:45.276Z","updated_at":"2026-04-20T14:01:30.274Z","avatar_url":"https://github.com/nullean.png","language":"C#","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Nullean.ScopedFileSystem\n\nA `System.IO.Abstractions` `IFileSystem` decorator that restricts file **read and write** operations to one or more configured scope root directories and rejects symbolic links.\n\n## What it does\n\n`ScopedFileSystem` wraps any `IFileSystem` and enforces these rules on every file and directory operation:\n\n| Rule | Detail |\n|------|--------|\n| **Scope** | The resolved path must be within a configured scope root or an explicitly allowed OS special folder. |\n| **No symlinks** | The target and all ancestor directories up to the scope root must not be symbolic links. |\n| **No hidden files** | Files whose name starts with `.` are blocked unless the name is in `AllowedHiddenFileNames`. |\n| **No hidden directories** | Directories whose name starts with `.` are blocked unless the name is in `AllowedHiddenFolderNames`. This applies to both the target directory and all ancestors up to the scope root. |\n| **Exists is safe** | `File.Exists()` and `Directory.Exists()` return `false` for out-of-scope paths instead of throwing. |\n\nAny violation throws `ScopedFileSystemException` (extends `SecurityException`).\n\n## Usage\n\n```csharp\nusing System.IO.Abstractions;\nusing Nullean.ScopedFileSystem;\n\n// Convenience: single root, real filesystem\nIFileSystem scoped = new ScopedFileSystem(\"/var/www/docs\");\n\n// Convenience: custom inner filesystem (e.g. MockFileSystem in tests)\nIFileSystem scoped = new ScopedFileSystem(inner, \"/var/www/docs\");\n\n// Full control via ScopedFileSystemOptions\nIFileSystem scoped = new ScopedFileSystem(inner, new ScopedFileSystemOptions(\"/var/www/docs\")\n{\n    AllowedHiddenFolderNames = [\".git\"],\n    AllowedHiddenFileNames   = [\".gitkeep\"],\n    AllowedSpecialFolders    = AllowedSpecialFolder.Temp | AllowedSpecialFolder.ApplicationData,\n});\n```\n\n```csharp\n// OK — within scope\nvar content = scoped.File.ReadAllText(\"/var/www/docs/page.md\");\n\n// OK — write within scope\nscoped.File.WriteAllText(\"/var/www/docs/output.md\", content);\n\n// Throws ScopedFileSystemException — outside scope\nscoped.File.ReadAllText(\"/etc/passwd\");\n\n// Throws ScopedFileSystemException — hidden file (.env)\nscoped.File.ReadAllText(\"/var/www/docs/.env\");\n\n// Throws ScopedFileSystemException — hidden ancestor directory (.hidden)\nscoped.File.ReadAllText(\"/var/www/docs/.hidden/secret.txt\");\n\n// Returns false — no exception\nbool exists = scoped.File.Exists(\"/etc/passwd\");\n\n// Throws ScopedFileSystemException — symlink\nscoped.File.ReadAllText(\"/var/www/docs/link-to-secret\");\n```\n\n## Multiple roots\n\nPass multiple paths to the constructor. Roots must be fully **disjoint** — no root may be an ancestor of another. Violating this throws `ArgumentException` at construction time.\n\n```csharp\n// OK — /docs and /data are siblings\nnew ScopedFileSystem(inner, \"/docs\", \"/data\");\n\n// ArgumentException — /data is an ancestor of /data/sub\nnew ScopedFileSystem(inner, \"/data\", \"/data/sub\");\n```\n\n## Hidden files and directories\n\nBy default, any file or directory whose name begins with `.` is blocked. Use `ScopedFileSystemOptions` to allow specific names:\n\n```csharp\nvar scoped = new ScopedFileSystem(new ScopedFileSystemOptions(\"/project\")\n{\n    // Allow traversing .git directories (e.g. to read .git/config)\n    AllowedHiddenFolderNames = [\".git\", \".nuget\"],\n\n    // Allow reading/writing specific hidden files\n    AllowedHiddenFileNames = [\".gitkeep\", \".gitignore\"],\n});\n```\n\nAllowlist matching is case-sensitive on Linux and case-insensitive on Windows and macOS, matching the platform filesystem behaviour. Any `IReadOnlyCollection\u003cstring\u003e` is accepted — no need to configure a comparer.\n\n## Special folders\n\nOpt in to read and write access outside the scope roots for well-known OS directories using the `AllowedSpecialFolders` flags enum:\n\n| Flag | macOS | Windows | Linux |\n|------|-------|---------|-------|\n| `Temp` | `/var/folders/…` / `/tmp` | `%TEMP%` | `/tmp` |\n| `ApplicationData` | `~/Library/Application Support` | `%APPDATA%` | `~/.config` |\n| `LocalApplicationData` | `~/Library/Application Support` | `%LOCALAPPDATA%` | `~/.local/share` |\n| `CommonApplicationData` | `/Library/Application Support` | `C:\\ProgramData` | `/usr/share` |\n| `All` | all four combined | | |\n\n```csharp\nvar scoped = new ScopedFileSystem(new ScopedFileSystemOptions(\"/project\")\n{\n    AllowedSpecialFolders = AllowedSpecialFolder.Temp | AllowedSpecialFolder.ApplicationData,\n});\n\n// OK — temp is allowed\nscoped.File.WriteAllText(Path.Combine(Path.GetTempPath(), \"cache.bin\"), data);\n```\n\nPaths are resolved at construction time. Access to special folders bypasses all hidden-file and hidden-directory checks.\n\n## `ScopedFileSystemOptions`\n\n`ScopedFileSystemOptions` is the primary configuration surface. It accepts one or more scope roots either as strings or as `IDirectoryInfo` instances:\n\n```csharp\n// String roots\nvar options = new ScopedFileSystemOptions(\"/root1\", \"/root2\");\n\n// IDirectoryInfo roots\nvar options = new ScopedFileSystemOptions(fs.DirectoryInfo.New(\"/root1\"));\n```\n\n| Property | Type | Default | Description |\n|----------|------|---------|-------------|\n| `ScopeRoots` | `IReadOnlyList\u003cstring\u003e` | _(required on constructor)_ | Scope root paths |\n| `AllowedHiddenFileNames` | `IReadOnlyCollection\u003cstring\u003e` | empty | Hidden file names that are allowed |\n| `AllowedHiddenFolderNames` | `IReadOnlyCollection\u003cstring\u003e` | empty | Hidden directory names that are allowed |\n| `AllowedSpecialFolders` | `AllowedSpecialFolder` | `None` | OS special folders to allow |\n\nThe inner `IFileSystem` is passed directly to `ScopedFileSystem` rather than through options; overloads without an explicit `inner` default to `new FileSystem()`.\n\n## Path validation\n\nAll paths are resolved via `IPath.GetFullPath` before any check. This means traversal sequences like `..` are collapsed first, so `\"/docs/../etc/passwd\"` is correctly identified as `\"/etc/passwd\"` and rejected. Scope membership is verified by walking up the directory tree rather than string prefix matching, which prevents sibling-prefix attacks (e.g. `/docs-extra` is not inside `/docs`).\n\n## Platform behaviour\n\n- **Case sensitivity**: Path comparison is case-sensitive on Linux, case-insensitive on Windows and macOS.\n- **Separator normalisation**: Both `/` and `\\` separators are handled correctly on all platforms.\n\n## Projects\n\n| Project | Description |\n|---------|-------------|\n| `src/Nullean.ScopedFileSystem` | Library |\n| `tests/Nullean.ScopedFileSystem.Tests` | xUnit test suite using `MockFileSystem` |\n\n## Building\n\n```bash\ndotnet build\ndotnet test\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnullean%2Fscoped-filesystem","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnullean%2Fscoped-filesystem","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnullean%2Fscoped-filesystem/lists"}