From 0f7a9370d1a8a9b5fdfa270f9fcbdd42e2698827 Mon Sep 17 00:00:00 2001
From: yCodeTech <studocwho@hotmail.com>
Date: Fri, 6 Feb 2026 03:17:51 +0000
Subject: [PATCH] fix: validate and sanitize the dev env variable

- Added `validateDevEnvVariables` util function to validate and sanitize the `DEV_USER_EXTENSIONS_PATH` env variable value. Added it's function call to `addDevEnvVariables` util function.

This function is based on the code Copilot created in PR #23, but with significant improvement.
---
 src/utils.ts | 60 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 60 insertions(+)

diff --git a/src/utils.ts b/src/utils.ts
index bdbbdf4..a6b0de2 100644
--- a/src/utils.ts
+++ b/src/utils.ts
@@ -249,4 +249,64 @@ export function addDevEnvVariables() {
 	} catch (error) {
 		// Ignore errors if the .env file doesn't exist
 	}
+
+	// Validate the loaded environment variables
+	validateDevEnvVariables();
+}
+
+/**
+ * Validate and sanitize the `DEV_USER_EXTENSIONS_PATH` environment variable.
+ * Removes invalid paths from the environment with logged errors.
+ */
+function validateDevEnvVariables() {
+	// Validate DEV_USER_EXTENSIONS_PATH if it was loaded
+	if (process.env.DEV_USER_EXTENSIONS_PATH) {
+		// Trim whitespace and resolve the path to an absolute path
+		let devPath = path.resolve(process.env.DEV_USER_EXTENSIONS_PATH.trim());
+
+		let stats: fs.Stats;
+		let errorMsg: string;
+		let errorData: Error;
+
+		// Get the file system stats for the path to check if it exists.
+		// statSync throws an exception if the no file system data exists for the path,
+		// so we catch it to handle errors gracefully.
+		try {
+			stats = fs.statSync(devPath);
+		} catch (error) {
+			const nodeError = error as NodeJS.ErrnoException;
+			const errorCode = nodeError.code || "UNKNOWN";
+
+			// Handle specific file system errors with user-friendly messages.
+			const errorMessages = {
+				ENOENT: "Path from env variable 'DEV_USER_EXTENSIONS_PATH' does not exist",
+				EACCES: "Permission denied accessing path from env variable 'DEV_USER_EXTENSIONS_PATH'",
+				UNKNOWN: "Unknown error accessing the path from env variable 'DEV_USER_EXTENSIONS_PATH'",
+			};
+
+			errorMsg = `${errorCode}: ${errorMessages[errorCode]}: "${devPath}". Removing from environment.`;
+
+			errorData = error as Error;
+
+			delete process.env.DEV_USER_EXTENSIONS_PATH;
+		}
+
+		// If stats has data AND the path is NOT a directory
+		if (stats && !stats.isDirectory()) {
+			errorMsg = `DEV_USER_EXTENSIONS_PATH is not a directory: "${devPath}". Removing from environment.`;
+		}
+
+		// If there was an error...
+		if (errorMsg.length > 0) {
+			// Delete the environment variable to prevent issues later on and log the error.
+			delete process.env.DEV_USER_EXTENSIONS_PATH;
+			logger.error(errorMsg, errorData);
+		}
+		// Otherwise, if there are no errors...
+		else {
+			// Update the environment variable with the sanitized path and log a success message.
+			process.env.DEV_USER_EXTENSIONS_PATH = devPath;
+			logger.info(`Loaded DEV_USER_EXTENSIONS_PATH: "${devPath}"`);
+		}
+	}
 }