fix: Remove redundant path traversal check for hardcoded common schema path

Author: cursoragent

src/core/structured-output-schema.ts

@@ -79,8 +79,13 @@ function schemaPathFor(ref: StructuredOutputSchemaRef): string {
   const resolvedSchemasDir = path.resolve(schemasDir);
 
   // Prevent path traversal attacks by ensuring the resolved path is within the schemas directory
-  if (!resolvedPath.startsWith(resolvedSchemasDir + path.sep) && resolvedPath !== resolvedSchemasDir) {
-    throw new Error(`Invalid schema path: attempted path traversal detected for ${ref.schema}@${ref.version}`);
+  if (
+    !resolvedPath.startsWith(resolvedSchemasDir + path.sep) &&
+    resolvedPath !== resolvedSchemasDir
+  ) {
+    throw new Error(
+      `Invalid schema path: attempted path traversal detected for ${ref.schema}@${ref.version}`,
+    );
   }
 
   return schemaPath;
@@ -203,20 +208,9 @@ export function getMcpOutputSchema(ref: StructuredOutputSchemaRef): JsonObject {
 
   const rootSchema = readJsonObject(schemaPathFor(ref), `${ref.schema}@${ref.version}`);
 
-  // Validate common schema path to prevent path traversal
   const schemasDir = getStructuredOutputSchemasDir();
   const commonSchemaPath = path.join(schemasDir, '_defs', 'common.schema.json');
-  const resolvedCommonPath = path.resolve(commonSchemaPath);
-  const resolvedSchemasDir = path.resolve(schemasDir);
-
-  if (!resolvedCommonPath.startsWith(resolvedSchemasDir + path.sep) && resolvedCommonPath !== resolvedSchemasDir) {
-    throw new Error('Invalid common schema path: attempted path traversal detected');
-  }
-
-  const commonSchema = readJsonObject(
-    commonSchemaPath,
-    'common structured output definitions',
-  );
+  const commonSchema = readJsonObject(commonSchemaPath, 'common structured output definitions');
   const bundled = bundleSchema(rootSchema, commonSchema);
   bundledSchemaCache.set(cacheKey, bundled);
   return cloneJson(bundled);