From cfda97c828924fda8dfa3dbeb7d107541a7bb01a Mon Sep 17 00:00:00 2001
From: jesse-merhi <79823012+jesse-merhi@users.noreply.github.com>
Date: Thu, 7 May 2026 11:08:59 +1000
Subject: [PATCH] test: cover external output traversal rejection

---
 test/output.test.ts | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/test/output.test.ts b/test/output.test.ts
index 6c4f51d..016f433 100644
--- a/test/output.test.ts
+++ b/test/output.test.ts
@@ -81,6 +81,24 @@ describe("writeExternalFileWithinRoot", () => {
     await expect(fs.stat(outsidePath)).rejects.toMatchObject({ code: "ENOENT" });
   });
 
+  it("rejects traversal targets before invoking the external writer", async () => {
+    const rootDir = await tempRoot("fs-safe-output-traversal-root-");
+    let called = false;
+
+    await expect(
+      writeExternalFileWithinRoot({
+        rootDir,
+        path: "../../../pwned.txt",
+        write: async (candidate) => {
+          called = true;
+          await fs.writeFile(candidate, "pwned", "utf8");
+        },
+      }),
+    ).rejects.toMatchObject({ code: "outside-workspace" });
+
+    expect(called).toBe(false);
+  });
+
   it("rejects root directory targets before invoking the external writer", async () => {
     const rootDir = await tempRoot("fs-safe-output-root-target-");
     let called = false;