[DOCS] Security vulnerability in Python SDK permission handler example (path traversal)
Resolved 💬 2 comments Opened Jan 25, 2026 by coygeek Closed Feb 27, 2026
Documentation Type
other
Documentation Location
https://platform.claude.com/docs/en/agent-sdk/python
Section/Topic
"Example - Advanced permission control" section
Current Documentation
if tool_name == "Write" and input_data.get("file_path", "").startswith("/system/"):
return PermissionResultDeny(...)
What's Wrong or Missing?
The example code demonstrates path validation using startswith("/system/") on a raw user-supplied path. This pattern is vulnerable to:
- Directory traversal attacks: A path like
../../system/configwon't match the check but could still target system files after path resolution - Non-normalized paths: Paths like
/system/../system/configor/system/./configmay bypass or inconsistently match the check - Symbolic link exploitation: The check doesn't verify if the path resolves through symlinks to protected areas
Developers copying this example for real security checks could inadvertently create exploitable permission handlers.
Suggested Improvement
Update the example to resolve and normalize paths before checking:
import os
# Normalize the path before checking
file_path = os.path.abspath(input_data.get("file_path", ""))
if tool_name == "Write" and file_path.startswith("/system/"):
return PermissionResultDeny(
message="Writing to /system/ is not allowed"
)
Or better, use os.path.realpath() to also resolve symlinks:
file_path = os.path.realpath(input_data.get("file_path", ""))
Impact
Medium - Makes feature difficult to understand
Additional Context
- This is a security-critical documentation issue as developers often copy permission handler patterns directly
- Consider adding a note about path normalization best practices in security-sensitive contexts
This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗