Currently get_safe_working_directories() returns a fixed list: Path.cwd(), four home subdirectories (~/Documents, ~/Downloads, ~/Desktop, ~/tmp), the system temp dir, and ./tests/fixtures. Any attempt to access files outside those directories fails with SecurityError: Security violation: invalid path.
This is too restrictive for real-world use. Common cases it blocks:
- OneDrive / SharePoint / Dropbox sync roots outside the home directory
- NAS mounts and network drives
- Project directories on non-system drives
- Obsidian vaults, repo clones, analysis workspaces outside
~/Documents
There's no CLI flag, config file, or env var to extend the list. Users either give up or fall back to copying files into ~/Documents before every conversion.
Proposal
Read an optional env variable MARKITDOWN_SAFE_DIRS, a platform-appropriate (os.pathsep) separated list of absolute paths. Entries are validated (Path.exists(), then .resolve() for normalization) and appended to the safe-dir list.
# Windows
MARKITDOWN_SAFE_DIRS="D:\OneDrive;D:\Projects"
# Unix
MARKITDOWN_SAFE_DIRS="/mnt/nas:/srv/data"
Non-existent entries are skipped with a logger.warning so typos don't silently disappear.
Security considerations
This widens the sandbox, but:
- Only the operator sets the env var — the LLM cannot self-elevate via tool calls.
- The existing hardcoded defaults (
~/Documents, ~/Downloads, …) already contain arbitrary user files, so the current sandbox is not a meaningful security boundary — it's a convenience default.
- Opt-in via env variable is the standard pattern for tools of this shape (
NODE_EXTRA_CA_CERTS, PYTHONPATH, PIP_INDEX_URL, etc.).
PR
Implementation follows in a separate PR after #37 lands, to keep the bug fixes and the feature cleanly separated.
Currently
get_safe_working_directories()returns a fixed list:Path.cwd(), four home subdirectories (~/Documents,~/Downloads,~/Desktop,~/tmp), the system temp dir, and./tests/fixtures. Any attempt to access files outside those directories fails withSecurityError: Security violation: invalid path.This is too restrictive for real-world use. Common cases it blocks:
~/DocumentsThere's no CLI flag, config file, or env var to extend the list. Users either give up or fall back to copying files into
~/Documentsbefore every conversion.Proposal
Read an optional env variable
MARKITDOWN_SAFE_DIRS, a platform-appropriate (os.pathsep) separated list of absolute paths. Entries are validated (Path.exists(), then.resolve()for normalization) and appended to the safe-dir list.Non-existent entries are skipped with a
logger.warningso typos don't silently disappear.Security considerations
This widens the sandbox, but:
~/Documents,~/Downloads, …) already contain arbitrary user files, so the current sandbox is not a meaningful security boundary — it's a convenience default.NODE_EXTRA_CA_CERTS,PYTHONPATH,PIP_INDEX_URL, etc.).PR
Implementation follows in a separate PR after #37 lands, to keep the bug fixes and the feature cleanly separated.