[DOCS] Elevate Path Traversal Safeguards to Mandatory Requirements in Memory Tool Documentation
Documentation Type
Missing documentation (feature not documented)
Documentation Location
https://platform.claude.com/docs/en/agents-and-tools/tool-use/memory-tool
Section/Topic
The "Path traversal protection" section under "Security considerations."
Current Documentation
"Your implementation MUST validate all paths to prevent directory traversal attacks. Consider these safeguards: - Validate that all paths start with /memories - Resolve paths to their canonical form and verify they remain within the memory directory - Reject paths containing sequences like ../, ..\\, or other traversal patterns - Watch for URL-encoded traversal sequences (%2e%2e%2f) - Use your language's built-in path security utilities (e.g., Python's pathlib.Path.resolve() and relative_to())"
What's Wrong or Missing?
While the documentation correctly uses a "Warning" block and states that implementations "MUST" validate paths, the subsequent list of implementation steps is framed as "Consider these safeguards."
In the context of a client-side tool that interacts directly with the user's local filesystem, these steps are not optional "considerations"—they are mandatory security requirements. Failing to perform path canonicalization (resolving symlinks and .. segments) allows a model (via prompt injection or malicious instructions) to read or overwrite sensitive system files (e.g., ~/.ssh/id_rsa or /etc/passwd) by simply requesting a path like /memories/../../.ssh/id_rsa.
Framing these as suggestions reduces the perceived criticality of the implementation details for developers building their own memory backends.
Suggested Improvement
The language should be changed from suggestive to normative.
Suggested Text:
Security Requirements: Path Traversal Protection
To prevent unauthorized access to files outside the intended storage, your implementation MUST enforce the following security controls:
- Path Validation: Ensure every requested path explicitly starts with the
/memoriesprefix. - Canonicalization: Always resolve paths to their absolute, canonical form (removing
..segments and resolving symbolic links) before performing any filesystem operations. - Boundary Check: After canonicalization, verify that the resulting physical path still resides within the designated
/memoriesroot directory. - Pattern Rejection: Explicitly reject any input containing traversal sequences (e.g.,
../,..\\) or URL-encoded equivalents (e.g.,%2e%2e%2f). - Use Native Utilities: Rely on robust standard library functions for these checks, such as Python's
pathlib.Path.resolve()combined with.relative_to(), or Node.js'spath.resolve().
Impact
High - Prevents users from using a feature
Additional Context
- Related documentation: https://platform.claude.com/docs/en/agents-and-tools/tool-use/text-editor-tool
- This is critical because the Memory Tool is specifically designed to allow the model to autonomously manage files across sessions, increasing the window for persistent prompt injection attacks if the underlying tool implementation is insecure.
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗