path.c File Reference

Cross-platform path manipulation with normalization and Windows/Unix separator handling. More...

Go to the source code of this file.

Functions
const char *	extract_project_relative_path (const char *file)
char *	expand_path (const char *path)
char *	get_config_dir (void)
char *	get_data_dir (void)
char *	get_log_dir (void)
char *	get_discovery_database_dir (void)
bool	path_normalize_copy (const char *path, char *out, size_t out_len)
bool	path_is_absolute (const char *path)
bool	path_is_within_base (const char *path, const char *base)
bool	path_is_within_any_base (const char *path, const char *const *bases, size_t base_count)
bool	path_looks_like_path (const char *value)
asciichat_error_t	path_validate_user_path (const char *input, path_role_t role, char **normalized_out)

Detailed Description

Cross-platform path manipulation with normalization and Windows/Unix separator handling.

Definition in file path.c.

Function Documentation

expand_path()

char * expand_path

(

const char *

path

)

Definition at line 471 of file path.c.

                                    {
  if (path[0] == PATH_TILDE) {
    const char *home = platform_get_home_dir();
    if (!home) {
      return NULL;
    }
 
    char *expanded;
    size_t total_len = strlen(home) + strlen(path) + 1; // path includes the tilde
    expanded = SAFE_MALLOC(total_len, char *);
    if (!expanded) {
      return NULL;
    }
    safe_snprintf(expanded, total_len, "%s%s", home, path + 1);
 
    platform_normalize_path_separators(expanded);
 
    return expanded;
  }
  return platform_strdup(path);
}

References platform_get_home_dir(), platform_normalize_path_separators(), platform_strdup(), and safe_snprintf().

Referenced by config_create_default(), config_load_and_apply(), detect_default_ssh_key(), and path_validate_user_path().

extract_project_relative_path()

const char * extract_project_relative_path

(

const char *

file

)

Definition at line 410 of file path.c.

                                                            {
  if (!file) {
    SET_ERRNO(ERROR_INVALID_PARAM, "file is null");
    return "unknown";
  }
 
#ifdef __EMSCRIPTEN__
  // WASM builds: Return raw path to avoid recursion in logging system
  // extract_project_relative_path is called from format_log_header, which is part of logging.
  // If we call normalize_path or other functions that might use SET_ERRNO or log functions,
  // we create infinite recursion: log_msg -> format_log_header -> extract_project_relative_path -> SET_ERRNO ->
  // log_error -> log_msg For WASM, just return the filename without path processing.
  const char *sep = strrchr(file, '/');
  if (!sep) {
    sep = strrchr(file, '\\');
  }
  return sep ? sep + 1 : file;
#endif
 
  /* First normalize the path to resolve .. and . components */
  const char *normalized = normalize_path(file);
 
  /* Try to find and strip the project root from the absolute path */
  char *project_root = find_project_root();
  if (project_root) {
    size_t root_len = strlen(project_root);
    size_t norm_len = strlen(normalized);
 
    /* Check if normalized path starts with project root */
    if (norm_len > root_len && strncmp(normalized, project_root, root_len) == 0) {
      const char *remainder = normalized + root_len;
 
      /* Skip the separator if present */
      if (*remainder == PATH_DELIM || *remainder == '/' || *remainder == '\\') {
        remainder++;
      }
 
      free(project_root);
      return remainder;
    }
    free(project_root);
  }
 
  /* Fallback: Extract relative path by looking for common separators */
  const char *last_sep = strrchr(normalized, PATH_DELIM);
  if (!last_sep) {
    last_sep = strrchr(normalized, '/');
  }
  if (!last_sep) {
    last_sep = strrchr(normalized, '\\');
  }
 
  /* If we found a separator, return the part after it */
  if (last_sep) {
    return last_sep + 1;
  }
 
  /* Last resort: return just the filename (don't return absolute path) */
  return normalized;
}

Referenced by asciichat_fatal_with_context(), asciichat_print_error_context(), log_json_async_safe(), log_json_write(), and log_template_apply().

get_config_dir()

char * get_config_dir

(

void

)

Definition at line 493 of file path.c.

                           {
  /* Delegate to platform abstraction layer */
  return platform_get_config_dir();
}

References platform_get_config_dir().

Referenced by acds_main(), config_load_and_apply(), discovery_keys_get_cache_path(), get_known_hosts_path(), options_init(), and path_validate_user_path().

get_data_dir()

char * get_data_dir

(

void

)

Definition at line 498 of file path.c.

                         {
  /* Delegate to platform abstraction layer */
  return platform_get_data_dir();
}

References platform_get_data_dir().

Referenced by get_discovery_database_dir().

get_discovery_database_dir()

char * get_discovery_database_dir

(

void

)

Definition at line 581 of file path.c.

                                       {
#ifdef _WIN32
  // Windows: Try %PROGRAMDATA%\ascii-chat\ first, then fall back to user directories
  const char *program_data = platform_getenv("PROGRAMDATA");
  if (program_data && program_data[0] != '\0') {
    size_t len = strlen(program_data) + strlen("\\ascii-chat\\") + 1;
    char *system_dir = SAFE_MALLOC(len, char *);
    if (system_dir) {
      safe_snprintf(system_dir, len, "%s\\ascii-chat\\", program_data);
 
      // Try to create directory recursively with public permissions (755 equivalent)
      asciichat_error_t mkdir_result = platform_mkdir_recursive(system_dir, 0755);
      if (mkdir_result == ASCIICHAT_OK) {
        // Directory exists or was created - check if writable
        if (platform_access(system_dir, PLATFORM_ACCESS_WRITE) == 0) {
          return system_dir; // System-wide location is writable
        }
      }
      SAFE_FREE(system_dir);
    }
  }
 
  // Fall back to user data directory
  char *data_dir = get_data_dir();
  if (data_dir) {
    // Try to create the directory recursively
    asciichat_error_t mkdir_result = platform_mkdir_recursive(data_dir, DIR_PERM_PRIVATE);
    if (mkdir_result == ASCIICHAT_OK) {
      if (platform_access(data_dir, PLATFORM_ACCESS_WRITE) == 0) {
        return data_dir;
      }
    }
    SAFE_FREE(data_dir);
  }
 
  return NULL;
#else
  // Unix: Try ${INSTALL_PREFIX}/var/ascii-chat/ first (system-wide, Homebrew-aware)
  // This uses the baked-in install prefix from paths.h (e.g., /opt/homebrew or /usr/local)
  const char *prefix = ASCIICHAT_INSTALL_PREFIX;
  size_t system_len = strlen(prefix) + strlen("/var/ascii-chat/") + 1;
  char *system_dir = SAFE_MALLOC(system_len, char *);
  if (system_dir) {
    safe_snprintf(system_dir, system_len, "%s/var/ascii-chat/", prefix);
 
    // Try to create directory recursively with public permissions (755) for system-wide use
    // platform_mkdir_recursive creates parent directories as needed
    asciichat_error_t mkdir_result = platform_mkdir_recursive(system_dir, 0755);
    if (mkdir_result == ASCIICHAT_OK) {
      // Directory exists or was created - check if writable
      if (platform_access(system_dir, PLATFORM_ACCESS_WRITE) == 0) {
        return system_dir; // System-wide location is writable
      }
    }
    SAFE_FREE(system_dir);
  }
 
#ifdef __APPLE__
  // On macOS, /usr/local is typically user-writable (set up by Homebrew)
  // Try it if the install prefix is different (e.g., /opt/homebrew on Apple Silicon)
  if (strcmp(prefix, "/usr/local") != 0) {
    const char *usr_local_path = "/usr/local/var/ascii-chat/";
    size_t usr_local_len = strlen(usr_local_path) + 1;
    char *usr_local_dir = SAFE_MALLOC(usr_local_len, char *);
    if (usr_local_dir) {
      safe_snprintf(usr_local_dir, usr_local_len, "%s", usr_local_path);
 
      asciichat_error_t mkdir_result = platform_mkdir_recursive(usr_local_dir, 0755);
      if (mkdir_result == ASCIICHAT_OK) {
        if (platform_access(usr_local_dir, PLATFORM_ACCESS_WRITE) == 0) {
          return usr_local_dir; // /usr/local is writable
        }
      }
      SAFE_FREE(usr_local_dir);
    }
  }
#endif
 
  // Fall back to user data directory (XDG_DATA_HOME or ~/.local/share/ascii-chat/)
  char *data_dir = get_data_dir();
  if (data_dir) {
    // Try to create the directory recursively
    asciichat_error_t mkdir_result = platform_mkdir_recursive(data_dir, DIR_PERM_PRIVATE);
    if (mkdir_result == ASCIICHAT_OK) {
      if (platform_access(data_dir, PLATFORM_ACCESS_WRITE) == 0) {
        return data_dir;
      }
    }
    SAFE_FREE(data_dir);
  }
 
  return NULL;
#endif
}

References get_data_dir(), platform_access(), platform_getenv(), platform_mkdir_recursive(), and safe_snprintf().

Referenced by options_init().

get_log_dir()

char * get_log_dir

(

void

)

Definition at line 503 of file path.c.

                        {
#ifdef __EMSCRIPTEN__
  // WASM builds: Return NULL to skip SAFE_MALLOC before memory tracking is initialized
  // The caller will use a fallback path (temp dir + filename)
  return NULL;
#endif
 
#ifdef NDEBUG
  // Release builds: Use $TMPDIR/ascii-chat/
  // Get system temp directory
  char temp_dir[PLATFORM_MAX_PATH_LENGTH];
  if (!platform_get_temp_dir(temp_dir, sizeof(temp_dir))) {
    // Fallback: Use current working directory if temp dir unavailable
    char cwd_buf[PLATFORM_MAX_PATH_LENGTH];
    if (!platform_get_cwd(cwd_buf, sizeof(cwd_buf))) {
      return NULL;
    }
    char *result = SAFE_MALLOC(strlen(cwd_buf) + 1, char *);
    if (!result) {
      return NULL;
    }
    safe_snprintf(result, strlen(cwd_buf) + 1, "%s", cwd_buf);
    return result;
  }
 
  // Build path to ascii-chat subdirectory
  size_t log_dir_len = strlen(temp_dir) + strlen(PATH_SEPARATOR_STR) + strlen("ascii-chat") + 1;
  char *log_dir = SAFE_MALLOC(log_dir_len, char *);
  if (!log_dir) {
    return NULL;
  }
  safe_snprintf(log_dir, log_dir_len, "%s%sascii-chat", temp_dir, PATH_SEPARATOR_STR);
 
  // Create the directory if it doesn't exist (with owner-only permissions)
  asciichat_error_t mkdir_result = platform_mkdir(log_dir, DIR_PERM_PRIVATE);
  if (mkdir_result != ASCIICHAT_OK) {
    // Directory creation failed - fall back to temp_dir without subdirectory
    SAFE_FREE(log_dir);
    char *result = SAFE_MALLOC(strlen(temp_dir) + 1, char *);
    if (!result) {
      return NULL;
    }
    safe_snprintf(result, strlen(temp_dir) + 1, "%s", temp_dir);
    return result;
  }
 
  // Verify the directory is writable
  if (platform_access(log_dir, PLATFORM_ACCESS_WRITE) != 0) {
    // Directory not writable - fall back to temp_dir
    SAFE_FREE(log_dir);
    char *result = SAFE_MALLOC(strlen(temp_dir) + 1, char *);
    if (!result) {
      return NULL;
    }
    safe_snprintf(result, strlen(temp_dir) + 1, "%s", temp_dir);
    return result;
  }
 
  return log_dir;
#else
  // Debug builds: Use repository root for logs
  char *repo_root = find_project_root();
  if (repo_root) {
    return repo_root;
  }
 
  // Fallback to current working directory if repo root not found
  char cwd_buf[PLATFORM_MAX_PATH_LENGTH];
  if (!platform_get_cwd(cwd_buf, sizeof(cwd_buf))) {
    return NULL;
  }
 
  char *result = SAFE_MALLOC(strlen(cwd_buf) + 1, char *);
  safe_snprintf(result, strlen(cwd_buf) + 1, "%s", cwd_buf);
  return result;
#endif
}

References platform_access(), platform_get_cwd(), platform_get_temp_dir(), PLATFORM_MAX_PATH_LENGTH, and safe_snprintf().

path_is_absolute()

bool path_is_absolute

(

const char *

path

)

Definition at line 696 of file path.c.

                                        {
  if (!path || !*path) {
    return false;
  }
 
#ifdef _WIN32
  if ((path[0] == '\\' && path[1] == '\\')) {
    return true; // UNC path
  }
  if (isalpha((unsigned char)path[0]) && path[1] == PATH_DRIVE_SEPARATOR && path[2] == PATH_DELIM) {
    return true;
  }
  return false;
#else
  return path[0] == PATH_DELIM;
#endif
}

Referenced by path_is_within_base(), and path_validate_user_path().

path_is_within_any_base()

bool path_is_within_any_base	(	const char *	path,
		const char *const *	bases,
		size_t	base_count
	)

Definition at line 748 of file path.c.

                                                                                            {
  if (!path || !bases || base_count == 0) {
    return false;
  }
 
  for (size_t i = 0; i < base_count; ++i) {
    const char *base = bases[i];
    if (!base) {
      continue;
    }
    if (path_is_within_base(path, base)) {
      return true;
    }
  }
 
  return false;
}

References path_is_within_base().

Referenced by path_validate_user_path().

path_is_within_base()

bool path_is_within_base	(	const char *	path,
		const char *	base
	)

Definition at line 714 of file path.c.

                                                             {
  if (!path || !base) {
    return false;
  }
 
  if (!path_is_absolute(path) || !path_is_absolute(base)) {
    return false;
  }
 
  char normalized_path[PLATFORM_MAX_PATH_LENGTH];
  char normalized_base[PLATFORM_MAX_PATH_LENGTH];
 
  if (!path_normalize_copy(path, normalized_path, sizeof(normalized_path))) {
    return false;
  }
  if (!path_normalize_copy(base, normalized_base, sizeof(normalized_base))) {
    return false;
  }
 
  size_t base_len = strlen(normalized_base);
  if (base_len == 0) {
    return false;
  }
 
  if (platform_path_strcasecmp(normalized_path, normalized_base, base_len) != 0) {
    return false;
  }
  char next = normalized_path[base_len];
  if (next == '\0') {
    return true;
  }
  return next == PATH_DELIM;
}

References path_is_absolute(), path_normalize_copy(), PLATFORM_MAX_PATH_LENGTH, and platform_path_strcasecmp().

Referenced by path_is_within_any_base().

path_looks_like_path()

bool path_looks_like_path

(

const char *

value

)

Definition at line 766 of file path.c.

                                             {
  if (!value || *value == '\0') {
    return false;
  }
 
  if (value[0] == PATH_DELIM || value[0] == PATH_COMPONENT_DOT || value[0] == PATH_TILDE) {
    return true;
  }
 
  if (strchr(value, PATH_DELIM)) {
    return true;
  }
 
#ifdef _WIN32
  if (isalpha((unsigned char)value[0]) && value[1] == ':' && value[2] == PATH_DELIM) {
    return true;
  }
#endif
 
  return false;
}

Referenced by parse_keys_from_file(), parse_public_key(), parse_public_keys(), path_validate_user_path(), and validate_ssh_key_file().

path_normalize_copy()

bool path_normalize_copy	(	const char *	path,
		char *	out,
		size_t	out_len
	)

Definition at line 676 of file path.c.

                                                                      {
  if (!path || !out || out_len == 0) {
    SET_ERRNO(ERROR_INVALID_PARAM, "null path or out or out_len is 0");
    return false;
  }
 
  const char *normalized = normalize_path(path);
  if (!normalized) {
    return false;
  }
 
  size_t len = strlen(normalized);
  if (len + 1 > out_len) {
    return false;
  }
 
  memcpy(out, normalized, len + 1);
  return true;
}

Referenced by path_is_within_base(), and path_validate_user_path().

path_validate_user_path()

asciichat_error_t path_validate_user_path	(	const char *	input,
		path_role_t	role,
		char **	normalized_out
	)

Definition at line 974 of file path.c.

                                                                                                      {
  if (!normalized_out) {
    return SET_ERRNO(map_role_to_error(role), "path_validate_user_path requires output pointer");
  }
  *normalized_out = NULL;
 
  if (!input || *input == '\0') {
    return SET_ERRNO(map_role_to_error(role), "Path is empty for role %d", role);
  }
 
  // SECURITY: For log files, if input is a simple filename (no separators or ..), constrain it to a safe directory
  if (role == PATH_ROLE_LOG_FILE) {
    // Check if input contains path separators or parent directory references
    bool is_simple_filename = true;
    for (const char *p = input; *p; p++) {
      if (*p == PATH_DELIM || *p == '/' || *p == '\\') {
        is_simple_filename = false;
        break;
      }
    }
    // Also reject ".." components (even without separators like "..something")
    if (strstr(input, "..") != NULL) {
      is_simple_filename = false;
    }
 
    // If it's a simple filename, resolve it to a safe base directory
    if (is_simple_filename) {
      // Always prefer current working directory for simple log filenames
      // This ensures logs go to where the user is running the command from
      char safe_base[PLATFORM_MAX_PATH_LENGTH];
 
      if (!platform_get_cwd(safe_base, sizeof(safe_base))) {
        // If cwd fails, try config dir as fallback
        char *config_dir = get_config_dir();
        if (config_dir) {
          SAFE_STRNCPY(safe_base, config_dir, sizeof(safe_base));
          SAFE_FREE(config_dir);
        } else {
          return SET_ERRNO(ERROR_LOGGING_INIT, "Failed to determine safe directory for log file");
        }
      }
 
      // Build the full path: safe_base + separator + input
      size_t base_len = strlen(safe_base);
      size_t input_len = strlen(input);
      bool needs_sep = base_len > 0 && safe_base[base_len - 1] != PATH_DELIM;
      size_t total_len = base_len + (needs_sep ? 1 : 0) + input_len + 1;
 
      if (total_len > PLATFORM_MAX_PATH_LENGTH) {
        return SET_ERRNO(ERROR_LOGGING_INIT, "Log file path too long: %s/%s", safe_base, input);
      }
 
      char resolved_buf[PLATFORM_MAX_PATH_LENGTH];
      safe_snprintf(resolved_buf, sizeof(resolved_buf), "%s%s%s", safe_base, needs_sep ? PATH_SEPARATOR_STR : "",
                    input);
 
      // Normalize the resolved path
      char normalized_buf[PLATFORM_MAX_PATH_LENGTH];
      if (!path_normalize_copy(resolved_buf, normalized_buf, sizeof(normalized_buf))) {
        return SET_ERRNO(ERROR_LOGGING_INIT, "Failed to normalize log file path: %s", resolved_buf);
      }
 
      // Allocate and return the result
      char *result = SAFE_MALLOC(strlen(normalized_buf) + 1, char *);
      if (!result) {
        return SET_ERRNO(ERROR_MEMORY, "Failed to allocate normalized path");
      }
      safe_snprintf(result, strlen(normalized_buf) + 1, "%s", normalized_buf);
      *normalized_out = result;
      return ASCIICHAT_OK;
    }
    // If not a simple filename (contains separators), continue with normal validation below
  }
 
  // For non-log-files or log files with path separators, validate as usual
  if (role != PATH_ROLE_LOG_FILE && !path_looks_like_path(input)) {
    return SET_ERRNO(map_role_to_error(role), "Value does not look like a filesystem path: %s", input);
  }
 
  char *expanded = expand_path(input);
  if (!expanded) {
    return SET_ERRNO(map_role_to_error(role), "Failed to expand path: %s", input);
  }
 
  char candidate_buf[PLATFORM_MAX_PATH_LENGTH];
  const char *candidate_path = expanded;
 
  if (!path_is_absolute(candidate_path)) {
    char cwd_buf[PLATFORM_MAX_PATH_LENGTH];
    if (!platform_get_cwd(cwd_buf, sizeof(cwd_buf))) {
      SAFE_FREE(expanded);
      return SET_ERRNO(map_role_to_error(role), "Failed to determine current working directory");
    }
 
    size_t total_len = strlen(cwd_buf) + 1 + strlen(candidate_path) + 1;
    if (total_len >= sizeof(candidate_buf)) {
      SAFE_FREE(expanded);
      return SET_ERRNO(map_role_to_error(role), "Resolved path is too long: %s/%s", cwd_buf, candidate_path);
    }
    if (strlen(candidate_path) > 0 && candidate_path[0] == PATH_DELIM) {
      safe_snprintf(candidate_buf, sizeof(candidate_buf), "%s%s", cwd_buf, candidate_path);
    } else {
      safe_snprintf(candidate_buf, sizeof(candidate_buf), "%s%c%s", cwd_buf, PATH_DELIM, candidate_path);
    }
    candidate_path = candidate_buf;
  }
 
  char normalized_buf[PLATFORM_MAX_PATH_LENGTH];
  if (!path_normalize_copy(candidate_path, normalized_buf, sizeof(normalized_buf))) {
    SAFE_FREE(expanded);
    return SET_ERRNO(map_role_to_error(role), "Failed to normalize path: %s", candidate_path);
  }
 
  if (!path_is_absolute(normalized_buf)) {
    SAFE_FREE(expanded);
    return SET_ERRNO(map_role_to_error(role), "Normalized path is not absolute: %s", normalized_buf);
  }
 
  const char *bases[MAX_PATH_BASES] = {0};
  size_t base_count = 0;
 
  // Always add current working directory as an allowed base
  // This is critical for log files and other paths relative to where the user runs the command
  char cwd_base[PLATFORM_MAX_PATH_LENGTH];
  if (platform_get_cwd(cwd_base, sizeof(cwd_base))) {
    append_base_if_valid(cwd_base, bases, &base_count);
  }
 
  char temp_base[PLATFORM_MAX_PATH_LENGTH];
  if (platform_get_temp_dir(temp_base, sizeof(temp_base))) {
    append_base_if_valid(temp_base, bases, &base_count);
  }
 
  char *config_dir = get_config_dir();
  if (config_dir) {
    append_base_if_valid(config_dir, bases, &base_count);
  }
 
  const char *home_env = platform_get_home_dir();
  if (home_env) {
    append_base_if_valid(home_env, bases, &base_count);
  }
 
  char ascii_chat_home[PLATFORM_MAX_PATH_LENGTH];
  if (home_env) {
    build_ascii_chat_path(home_env, ".ascii-chat", ascii_chat_home, sizeof(ascii_chat_home));
    append_base_if_valid(ascii_chat_home, bases, &base_count);
  }
 
#ifndef _WIN32
  char ascii_chat_home_tmp[PLATFORM_MAX_PATH_LENGTH];
  build_ascii_chat_path("/tmp", ".ascii-chat", ascii_chat_home_tmp, sizeof(ascii_chat_home_tmp));
  append_base_if_valid(ascii_chat_home_tmp, bases, &base_count);
#endif
 
  char ssh_home[PLATFORM_MAX_PATH_LENGTH];
  if (home_env) {
    build_ascii_chat_path(home_env, ".ssh", ssh_home, sizeof(ssh_home));
    append_base_if_valid(ssh_home, bases, &base_count);
  }
 
#ifdef _WIN32
  char program_data_logs[PLATFORM_MAX_PATH_LENGTH];
  const char *program_data = platform_getenv("PROGRAMDATA");
  if (program_data) {
    build_ascii_chat_path(program_data, "ascii-chat", program_data_logs, sizeof(program_data_logs));
    append_base_if_valid(program_data_logs, bases, &base_count);
  }
#else
  // System-wide config directories (for server deployments)
  append_base_if_valid("/etc/ascii-chat", bases, &base_count);
  append_base_if_valid("/usr/local/etc/ascii-chat", bases, &base_count);
  append_base_if_valid("/var/log", bases, &base_count);
  append_base_if_valid("/var/tmp", bases, &base_count);
  append_base_if_valid("/tmp", bases, &base_count);
#ifdef __APPLE__
  // On macOS, /tmp is a symlink to /private/tmp
  append_base_if_valid("/private/tmp", bases, &base_count);
  // On macOS, all user home directories are under /Users
  append_base_if_valid("/Users", bases, &base_count);
#endif
#endif
 
  // Security check: Reject paths that point to sensitive system files
  // This applies to all path roles, not just logs
  if (is_sensitive_system_path(normalized_buf)) {
    SAFE_FREE(expanded);
    if (config_dir) {
      SAFE_FREE(config_dir);
    }
    return SET_ERRNO(map_role_to_error(role), "Cannot write to protected system path: %s", normalized_buf);
  }
 
  // For log files, apply special validation rules
  if (role == PATH_ROLE_LOG_FILE) {
    // Check if path is a regular file (not a directory, not non-existent)
    // On macOS, fopen() can succeed on directories, so we must use platform_is_regular_file()
    bool is_regular_file = platform_is_regular_file(normalized_buf);
 
    // If a regular file exists, it MUST be an ascii-chat log or empty file to be overwritten
    if (is_regular_file && !is_existing_ascii_chat_log(normalized_buf) && !is_file_empty(normalized_buf)) {
      SAFE_FREE(expanded);
      if (config_dir) {
        SAFE_FREE(config_dir);
      }
      return SET_ERRNO(ERROR_LOGGING_INIT,
                       "Cannot overwrite existing non-ascii-chat file: %s\n"
                       "For safety, ascii-chat will only overwrite its own log files or empty files",
                       normalized_buf);
    }
 
    // If file doesn't exist (or is a directory), check that path is in safe locations
    if (!is_regular_file) {
      bool allowed = base_count == 0 ? true : path_is_within_any_base(normalized_buf, bases, base_count);
      if (!allowed) {
        SAFE_FREE(expanded);
        if (config_dir) {
          SAFE_FREE(config_dir);
        }
        return SET_ERRNO(ERROR_LOGGING_INIT,
                         "Log path %s is outside allowed directories (use -L /tmp/file.log, ~/file.log, or "
                         "relative/absolute paths in safe locations)",
                         normalized_buf);
      }
    }
  } else {
    // For non-log-file paths, apply standard whitelist validation
    bool allowed = base_count == 0 ? true : path_is_within_any_base(normalized_buf, bases, base_count);
    if (!allowed) {
      SAFE_FREE(expanded);
      if (config_dir) {
        SAFE_FREE(config_dir);
      }
      return SET_ERRNO(map_role_to_error(role), "Path %s is outside allowed directories", normalized_buf);
    }
  }
 
  char *result = SAFE_MALLOC(strlen(normalized_buf) + 1, char *);
  if (!result) {
    SAFE_FREE(expanded);
    if (config_dir) {
      SAFE_FREE(config_dir);
    }
    return SET_ERRNO(ERROR_MEMORY, "Failed to allocate normalized path");
  }
  safe_snprintf(result, strlen(normalized_buf) + 1, "%s", normalized_buf);
  *normalized_out = result;
 
  SAFE_FREE(expanded);
  if (config_dir) {
    SAFE_FREE(config_dir);
  }
  return ASCIICHAT_OK;
}

References expand_path(), get_config_dir(), path_is_absolute(), path_is_within_any_base(), path_looks_like_path(), path_normalize_copy(), platform_get_cwd(), platform_get_home_dir(), platform_get_temp_dir(), platform_getenv(), platform_is_regular_file(), PLATFORM_MAX_PATH_LENGTH, safe_snprintf(), and true.

Referenced by config_create_default(), config_load_and_apply(), parse_keys_from_file(), parse_log_file(), parse_private_key(), parse_public_key(), and validate_ssh_key_file().