Fix

Author: GhostTypes

src/utils/security.ts

@@ -227,11 +227,10 @@ function pathIsAbsolute(p: string): boolean {
  * @returns true if the path uses UNC extended-length syntax
  */
 export function isWindowsUncExtendedPath(p: string): boolean {
-  if (process.platform !== 'win32') {
-    return false;
-  }
+  // Check for Windows UNC extended-length paths on all platforms
+  // This is defense-in-depth - reject dangerous path patterns regardless of server OS
   // Match \\?\ or \\.\ prefixes (extended-length path prefixes)
-  // Character class [?.] matches literal ? or . characters
+  // In regex: \\\\ matches \\, [?.] matches ? or ., \\ matches \
   return /^\\\\[?.]\\/.test(p);
 }
 

tests/unit/security.test.ts

@@ -209,9 +209,11 @@ describe('Security Utilities', () => {
       expect(isWindowsUncExtendedPath('\\\\server\\share')).toBe(false);
     });
 
-    it('should return false on non-Windows platforms', () => {
+    it('should detect UNC paths on all platforms (defense-in-depth)', () => {
       Object.defineProperty(process, 'platform', { value: 'linux' });
-      expect(isWindowsUncExtendedPath('\\\\?\\C:\\Windows')).toBe(false);
+      // UNC extended paths should be detected regardless of platform
+      expect(isWindowsUncExtendedPath('\\\\?\\C:\\Windows')).toBe(true);
+      // Regular Unix paths should not match
       expect(isWindowsUncExtendedPath('/usr/bin')).toBe(false);
     });
   });