Fix invalid ID format error for paths with special characters

Ricoledan · Ricoledan · commit 92f16f8a490c · 2026-02-03T10:02:37.000-05:00
Chunk ID generation now sanitizes all non-alphanumeric characters (except
`-` and `_`) to prevent InvalidIdError when indexing files with:
- @ symbols (scoped packages like @scope/package)
- Spaces in paths
- Parentheses (e.g., file (copy).ts)
- Plus signs (e.g., c++/main.cpp)
- Colons (Windows paths like C:\Users\...)

The fix adds a catch-all regex `.replace(/[^a-zA-Z0-9_-]/g, '_')` to
generateChunkId(), sanitizePathPattern(), and sanitizeGlobPattern().
diff --git a/src/chunker/index.ts b/src/chunker/index.ts
@@ -172,10 +172,28 @@ function extractDocstring(
 }
 
 /**
- * Generate chunk ID from file path and position
+ * Generate chunk ID from file path and position.
+ *
+ * Normalizes file paths to create IDs that match the allowed pattern
+ * `/^[a-zA-Z0-9_-]+$/` used by the store's ID validation.
+ *
+ * Characters replaced:
+ * - `/` and `\` (path separators) → `_`
+ * - `.` (dots) → `_`
+ * - `@`, spaces, parentheses, `+`, `:`, and any other non-alphanumeric
+ *   characters (except `-` and `_`) → `_`
+ *
+ * This handles paths like:
+ * - `@scope/package/file.ts` → `_scope_package_file_ts`
+ * - `path with spaces/file.ts` → `path_with_spaces_file_ts`
+ * - `file (copy).ts` → `file__copy__ts`
+ * - `c++/main.cpp` → `c___main_cpp`
  */
 function generateChunkId(filePath: string, startLine: number): string {
-  const normalized = filePath.replace(/[\\/]/g, '_').replace(/\./g, '_');
+  const normalized = filePath
+    .replace(/[\\/]/g, '_')         // path separators
+    .replace(/\./g, '_')            // dots
+    .replace(/[^a-zA-Z0-9_-]/g, '_'); // any remaining unsafe chars
   return `${normalized}_L${startLine}`;
 }
 
diff --git a/src/search/filter-builder.ts b/src/search/filter-builder.ts
@@ -108,12 +108,14 @@ export function validateFilterPattern(pattern: string): boolean {
  * ```
  */
 export function sanitizePathPattern(path: string): string {
-  // Replace path separators and dots with underscores
+  // Replace path separators, dots, and any other non-safe characters
+  // This must match the normalization in generateChunkId (chunker/index.ts)
   const sanitized = path
-    .replace(/[\\/]/g, '_')
-    .replace(/\./g, '_');
+    .replace(/[\\/]/g, '_')           // path separators
+    .replace(/\./g, '_')              // dots
+    .replace(/[^a-zA-Z0-9_-]/g, '_'); // any remaining unsafe chars
 
-  // Validate the result
+  // Validate the result (should always pass now, but kept for defense-in-depth)
   if (!validateFilterPattern(sanitized)) {
     throw new InvalidFilterError(
       `Invalid path pattern: contains disallowed characters`
@@ -147,14 +149,16 @@ export function sanitizePathPattern(path: string): string {
  */
 export function sanitizeGlobPattern(pattern: string): string {
   // Convert glob patterns to SQL LIKE patterns
+  // This must match the normalization in generateChunkId (chunker/index.ts)
   const sanitized = pattern
-    .replace(/\*\*/g, '%')      // ** -> %
-    .replace(/\*/g, '%')         // * -> %
-    .replace(/\?/g, '_')         // ? -> _
-    .replace(/[\\/]/g, '_')     // path separators -> _
-    .replace(/\./g, '_');        // . -> _
+    .replace(/\*\*/g, '%')            // ** -> %
+    .replace(/\*/g, '%')              // * -> %
+    .replace(/\?/g, '_')              // ? -> _
+    .replace(/[\\/]/g, '_')           // path separators -> _
+    .replace(/\./g, '_')              // . -> _
+    .replace(/[^a-zA-Z0-9_%-]/g, '_'); // any remaining unsafe chars (keep % for LIKE)
 
-  // Validate the result
+  // Validate the result (should always pass now, but kept for defense-in-depth)
   if (!validateFilterPattern(sanitized)) {
     throw new InvalidFilterError(
       `Invalid file pattern: contains disallowed characters`
diff --git a/tests/chunker/chunker.test.ts b/tests/chunker/chunker.test.ts
@@ -394,6 +394,58 @@ function c() { return 3; }
 
         expect(chunks[0]?.id).toContain('path_to_file_ts');
       });
+
+      it('should handle @ symbols in paths (scoped packages)', async () => {
+        const code = `function test() { return true; }`;
+        const chunks = await chunkCode(code, '/node_modules/@scope/package/index.ts');
+
+        // @ should be replaced with underscore
+        expect(chunks[0]?.id).toContain('_scope_package_index_ts');
+        // ID should only contain safe characters
+        expect(chunks[0]?.id).toMatch(/^[a-zA-Z0-9_-]+$/);
+      });
+
+      it('should handle spaces in paths', async () => {
+        const code = `function test() { return true; }`;
+        const chunks = await chunkCode(code, '/path with spaces/my file.ts');
+
+        // Spaces should be replaced with underscores
+        expect(chunks[0]?.id).toContain('path_with_spaces_my_file_ts');
+        expect(chunks[0]?.id).toMatch(/^[a-zA-Z0-9_-]+$/);
+      });
+
+      it('should handle parentheses in paths', async () => {
+        const code = `function test() { return true; }`;
+        const chunks = await chunkCode(code, '/test/file (copy).ts');
+
+        // Parentheses should be replaced with underscores
+        expect(chunks[0]?.id).toContain('file__copy__ts');
+        expect(chunks[0]?.id).toMatch(/^[a-zA-Z0-9_-]+$/);
+      });
+
+      it('should handle plus signs in paths (c++ directories)', async () => {
+        const code = `
+#include <iostream>
+int main() {
+    std::cout << "Hello";
+    return 0;
+}
+`;
+        const chunks = await chunkCode(code, '/projects/c++/main.cpp');
+
+        // Plus signs should be replaced with underscores
+        expect(chunks[0]?.id).toContain('c___main_cpp');
+        expect(chunks[0]?.id).toMatch(/^[a-zA-Z0-9_-]+$/);
+      });
+
+      it('should handle colons in Windows-style paths', async () => {
+        const code = `function test() { return true; }`;
+        const chunks = await chunkCode(code, 'C:\\Users\\test\\file.ts');
+
+        // Colons and backslashes should be replaced with underscores
+        expect(chunks[0]?.id).toContain('C__Users_test_file_ts');
+        expect(chunks[0]?.id).toMatch(/^[a-zA-Z0-9_-]+$/);
+      });
     });
 
     describe('Fallback chunking', () => {
diff --git a/tests/search/hybrid-search.test.ts b/tests/search/hybrid-search.test.ts
@@ -60,16 +60,21 @@ describe('Hybrid Search', () => {
       expect(filter).toContain("language = 'typescript'");
     });
 
-    it('should throw on SQL injection in path', () => {
-      expect(() => buildSafeFilter({ path: "'; DROP TABLE--" })).toThrow(
-        InvalidFilterError
-      );
+    it('should sanitize SQL injection in path', () => {
+      // SQL injection attempts are now sanitized (unsafe chars replaced with _)
+      const result = buildSafeFilter({ path: "'; DROP TABLE--" });
+      expect(result).toBe("id LIKE '___DROP_TABLE--%'");
+      // The inner value should only contain safe characters
+      const innerValue = result?.match(/id LIKE '([^']+)'/)?.[1];
+      expect(innerValue).toMatch(/^[a-zA-Z0-9_%-]+$/);
     });
 
-    it('should throw on SQL injection in file pattern', () => {
-      expect(() =>
-        buildSafeFilter({ filePattern: "**/*'; DROP TABLE--" })
-      ).toThrow(InvalidFilterError);
+    it('should sanitize SQL injection in file pattern', () => {
+      // SQL injection attempts are now sanitized (unsafe chars replaced with _)
+      const result = buildSafeFilter({ filePattern: "**/*'; DROP TABLE--" });
+      // ** -> %, / -> _, * -> %, ' -> _, ; -> _, space -> _
+      // buildFilePatternCondition adds leading % for suffix matching
+      expect(result).toBe("id LIKE '%%_%___DROP_TABLE--'");
     });
   });
 
diff --git a/tests/security/sql-injection.test.ts b/tests/security/sql-injection.test.ts
@@ -75,13 +75,35 @@ describe('SQL Injection Prevention', () => {
       expect(sanitizePathPattern('src.test.file')).toBe('src_test_file');
     });
 
-    it('should throw on SQL injection attempts', () => {
-      expect(() => sanitizePathPattern("src'; DROP TABLE--/")).toThrow(
-        InvalidFilterError
-      );
-      expect(() => sanitizePathPattern("test' OR '1'='1")).toThrow(
-        InvalidFilterError
-      );
+    it('should handle @ symbols in scoped package paths', () => {
+      expect(sanitizePathPattern('@scope/package/file')).toBe('_scope_package_file');
+      expect(sanitizePathPattern('node_modules/@types/node')).toBe('node_modules__types_node');
+    });
+
+    it('should handle spaces in paths', () => {
+      expect(sanitizePathPattern('path with spaces/file')).toBe('path_with_spaces_file');
+      expect(sanitizePathPattern('My Documents/project')).toBe('My_Documents_project');
+    });
+
+    it('should handle parentheses in paths', () => {
+      expect(sanitizePathPattern('file (copy)')).toBe('file__copy_');
+      expect(sanitizePathPattern('Component(HOC).tsx')).toBe('Component_HOC__tsx');
+    });
+
+    it('should handle plus signs in paths', () => {
+      expect(sanitizePathPattern('c++/main')).toBe('c___main');
+    });
+
+    it('should handle colons in Windows paths', () => {
+      expect(sanitizePathPattern('C:\\Users\\test')).toBe('C__Users_test');
+    });
+
+    it('should sanitize SQL injection attempts instead of throwing', () => {
+      // These now get sanitized rather than throwing, since the catch-all
+      // replaces all unsafe characters with underscores
+      const result = sanitizePathPattern("src'; DROP TABLE--/");
+      expect(result).toBe('src___DROP_TABLE--_');
+      expect(result).toMatch(/^[a-zA-Z0-9_\-%]+$/);
     });
   });
 
@@ -93,10 +115,12 @@ describe('SQL Injection Prevention', () => {
       expect(sanitizeGlobPattern('src/??.ts')).toBe('src____ts');
     });
 
-    it('should throw on SQL injection in glob patterns', () => {
-      expect(() => sanitizeGlobPattern("*'; DROP TABLE--")).toThrow(
-        InvalidFilterError
-      );
+    it('should sanitize SQL injection in glob patterns', () => {
+      // SQL injection attempts are now sanitized (unsafe chars replaced with _)
+      const result = sanitizeGlobPattern("*'; DROP TABLE--");
+      // * -> %, ' -> _, ; -> _, space -> _
+      expect(result).toBe('%___DROP_TABLE--');
+      expect(result).toMatch(/^[a-zA-Z0-9_%-]+$/);
     });
   });
 
@@ -164,16 +188,21 @@ describe('SQL Injection Prevention', () => {
       expect(result).toBe("id LIKE 'src%' AND language = 'typescript'");
     });
 
-    it('should throw on SQL injection in path', () => {
-      expect(() => buildSafeFilter({ path: "'; DROP TABLE--" })).toThrow(
-        InvalidFilterError
-      );
+    it('should sanitize SQL injection in path', () => {
+      // SQL injection attempts are now sanitized (unsafe chars replaced with _)
+      const result = buildSafeFilter({ path: "'; DROP TABLE--" });
+      expect(result).toBe("id LIKE '___DROP_TABLE--%'");
+      // The sanitized inner value contains only safe characters
+      // (the outer quotes are SQL string delimiters, not part of the user input)
+      const innerValue = result?.match(/id LIKE '([^']+)'/)?.[1];
+      expect(innerValue).toMatch(/^[a-zA-Z0-9_%-]+$/);
     });
 
-    it('should throw on SQL injection in file pattern', () => {
-      expect(() => buildSafeFilter({ filePattern: "*.ts'; DROP TABLE--" })).toThrow(
-        InvalidFilterError
-      );
+    it('should sanitize SQL injection in file pattern', () => {
+      // SQL injection attempts are now sanitized (unsafe chars replaced with _)
+      const result = buildSafeFilter({ filePattern: "*.ts'; DROP TABLE--" });
+      // * -> %, . -> _, ' -> _, ; -> _, space -> _, etc.
+      expect(result).toBe("id LIKE '%%_ts___DROP_TABLE--'");
     });
   });
 
@@ -192,23 +221,34 @@ describe('SQL Injection Prevention', () => {
     ];
 
     it.each(sqlInjectionPayloads)(
-      'should reject injection payload: %s',
+      'should reject injection payload via validateFilterPattern: %s',
       (payload) => {
         expect(validateFilterPattern(payload)).toBe(false);
       }
     );
 
     it.each(sqlInjectionPayloads)(
-      'should throw on sanitizePathPattern with: %s',
+      'should sanitize injection payload and produce safe result: %s',
       (payload) => {
-        expect(() => sanitizePathPattern(payload)).toThrow(InvalidFilterError);
+        // sanitizePathPattern now sanitizes rather than throws
+        const result = sanitizePathPattern(payload);
+        // The result should only contain safe characters
+        expect(validateFilterPattern(result)).toBe(true);
+        // Should not contain any SQL-dangerous characters
+        expect(result).not.toMatch(/['";\(\)=<>]/);
       }
     );
 
     it.each(sqlInjectionPayloads)(
-      'should throw on buildSafeFilter path with: %s',
+      'should produce safe filter for buildSafeFilter path: %s',
       (payload) => {
-        expect(() => buildSafeFilter({ path: payload })).toThrow(InvalidFilterError);
+        // buildSafeFilter now sanitizes rather than throws
+        const result = buildSafeFilter({ path: payload });
+        // Should be a valid LIKE condition
+        expect(result).toMatch(/^id LIKE '[a-zA-Z0-9_%-]+'$/);
+        // Should not contain unescaped quotes (the one at start/end are the SQL string delimiters)
+        const innerContent = result?.slice(9, -1); // Extract content between "id LIKE '" and "'"
+        expect(innerContent).not.toContain("'");
       }
     );
   });
