PR #36888: fix(core): guard FileChatMessageHistory example against path traversal

• Repository: langchain-ai/langchain
• Author: beejak
• State: closed | merged: False
• Link: https://github.com/langchain-ai/langchain/pull/36888

Description (problem / solution / changelog)

Fixes #36887

Summary

The BaseChatMessageHistory docstring example uses os.path.join(storage_path, session_id) directly. session_id is user-controlled in typical web deployments (via RunnableWithMessageHistory's configurable dict). Two bypass vectors exist:

1. Relative traversal — session_id="../../etc/shadow" resolves outside storage_path
2. Absolute path — on POSIX, os.path.join("/safe/dir", "/etc/shadow") returns "/etc/shadow", discarding the base entirely

Fix: Added _safe_path() helper using os.path.realpath() to assert the resolved path stays within storage_path before any file I/O. All three operations (messages, add_messages, clear) go through this helper.

def _safe_path(self) -> str:
    base = os.path.realpath(self.storage_path)
    resolved = os.path.realpath(os.path.join(self.storage_path, self.session_id))
    if not resolved.startswith(base + os.sep) and resolved != base:
        raise ValueError(
            f"Invalid session_id '{self.session_id}': "
            "path resolves outside storage_path."
        )
    return resolved

Test plan

• session_id = "safe_session" → works normally
• session_id = "../../etc/passwd" → raises ValueError
• session_id = "/etc/passwd" → raises ValueError (absolute path bypass)
• session_id = "subdir/session" → works if subdir is within storage_path

Note: langchain-community's FileChatMessageHistory uses a different API (file_path directly) and is not affected.

Some code in this commit was written with assistance from Claude Sonnet 4.6 (AI).

🤖 Generated with Claude Code

Changed files

• libs/core/langchain_core/chat_history.py (modified, +19/-7)