fix(reach): tighten --exclude-paths validation and accept config-file lists

Address review findings on the unified --exclude-paths flag:

- Reject '**/' (and any trailing-slash degenerate form): validation now strips the
  trailing slash before the degenerate-set check, matching Node's stripTrailingSlash.
  Previously '**/' slipped through and compiled to '.*', silently excluding everything.
- Accept a list value from a --config file (not just a comma-separated string): a new
  normalize_exclude_paths() handles both, so config-file-supplied patterns flow through
  the same validation instead of crashing on str.split.

Adds tests for '**/' rejection and config-file list/string/validation paths.

Author: mtorp

pyproject.toml

@@ -6,7 +6,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "socketsecurity"
-version = "2.4.2"
+version = "2.4.3"
 requires-python = ">= 3.11"
 license = {"file" = "LICENSE"}
 dependencies = [

socketsecurity/__init__.py

@@ -1,3 +1,3 @@
 __author__ = 'socket.dev'
-__version__ = '2.4.2'
+__version__ = '2.4.3'
 USER_AGENT = f'SocketPythonCLI/{__version__}'

socketsecurity/config.py

@@ -55,14 +55,34 @@ def load_cli_config_file(config_path: str) -> dict:
         return scoped
     return data
 
+def normalize_exclude_paths(value) -> Optional[List[str]]:
+    """Normalize a --exclude-paths value into a clean list of patterns.
+
+    Accepts a comma-separated string (CLI) or a list/tuple (e.g. a JSON/TOML --config file
+    value), so config-file-supplied patterns flow through the same validation as CLI ones.
+    """
+    if not value:
+        return None
+    if isinstance(value, str):
+        items = value.split(",")
+    elif isinstance(value, (list, tuple)):
+        items = value
+    else:
+        return None
+    cleaned = [str(p).strip() for p in items if str(p).strip()]
+    return cleaned or None
+
+
 def validate_exclude_paths(patterns: List[str]) -> None:
     """Validate --exclude-paths patterns (mirrors Node's assertValidExcludePaths).
 
     Patterns are scan-root-relative globs. Reject the cases coana's --exclude-dirs / fast-glob
     cannot honor: negation, absolute paths, ``..`` traversal, and degenerate match-everything.
     Exits with code 1 on the first invalid pattern.
     """
-    degenerate = {"", ".", "./", "./**", "/", "**", "/**"}
+    # Degenerate match-everything forms, compared against the trailing-slash-stripped pattern
+    # (so "**/" reduces to "**" and is rejected, matching Node's stripTrailingSlash + check).
+    degenerate = {"", ".", "**", "./**", "/**"}
     for p in patterns:
         norm = (p or "").strip().replace("\\", "/")
         if norm.startswith("!"):
@@ -74,7 +94,7 @@ def validate_exclude_paths(patterns: List[str]) -> None:
         if norm == ".." or norm.startswith("../") or "/../" in norm or norm.endswith("/.."):
             logging.error(f"--exclude-paths: '..' path traversal is not allowed: {p!r}")
             exit(1)
-        if norm in degenerate:
+        if norm.rstrip("/") in degenerate:
             logging.error(f"--exclude-paths: pattern would exclude everything: {p!r}")
             exit(1)
 
@@ -289,7 +309,7 @@ def from_args(cls, args_list: Optional[List[str]] = None) -> 'CliConfig':
             'reach_lazy_mode': args.reach_lazy_mode,
             'reach_ecosystems': args.reach_ecosystems.split(',') if args.reach_ecosystems else None,
             'reach_exclude_paths': args.reach_exclude_paths.split(',') if args.reach_exclude_paths else None,
-            'exclude_paths': [p.strip() for p in args.exclude_paths.split(',') if p.strip()] if args.exclude_paths else None,
+            'exclude_paths': normalize_exclude_paths(args.exclude_paths),
             'reach_skip_cache': args.reach_skip_cache,
             'reach_min_severity': args.reach_min_severity,
             'reach_output_file': args.reach_output_file,

tests/unit/test_exclude_paths.py

@@ -87,7 +87,7 @@ def test_reach_exclude_paths_still_works_and_warns(caplog):
 
 @pytest.mark.parametrize(
     "bad",
-    ["!foo", "/abs/path", "..", "../escape", "a/../b", ".", "**", "/**", "./**"],
+    ["!foo", "/abs/path", "..", "../escape", "a/../b", ".", "**", "**/", "/**", "./", "./**"],
 )
 def test_exclude_paths_validation_rejects(bad):
     with pytest.raises(SystemExit) as exc:
@@ -101,6 +101,34 @@ def test_exclude_paths_validation_rejects_within_csv():
     assert exc.value.code == 1
 
 
+def _write_config(tmp_path, value):
+    import json
+    path = tmp_path / "socketcli.json"
+    path.write_text(json.dumps({"socketcli": {"exclude_paths": value}}), encoding="utf-8")
+    return str(path)
+
+
+def test_exclude_paths_from_config_file_list(tmp_path):
+    """A JSON list in --config flows through normalization (not just CSV strings)."""
+    cfg = _write_config(tmp_path, ["tests/**", "packages/legacy"])
+    config = CliConfig.from_args(BASE_ARGS + ["--config", cfg])
+    assert config.exclude_paths == ["tests/**", "packages/legacy"]
+
+
+def test_exclude_paths_from_config_file_string(tmp_path):
+    cfg = _write_config(tmp_path, "tests/**, packages/legacy")
+    config = CliConfig.from_args(BASE_ARGS + ["--config", cfg])
+    assert config.exclude_paths == ["tests/**", "packages/legacy"]
+
+
+def test_exclude_paths_from_config_file_is_validated(tmp_path):
+    """Config-file patterns are validated too (not bypassed)."""
+    cfg = _write_config(tmp_path, ["../escape"])
+    with pytest.raises(SystemExit) as exc:
+        CliConfig.from_args(BASE_ARGS + ["--config", cfg])
+    assert exc.value.code == 1
+
+
 def test_exclude_paths_valid_globs_accepted():
     config = CliConfig.from_args(BASE_ARGS + ["--exclude-paths", "tests/**,**/*.spec.ts,packages/legacy"])
     assert config.exclude_paths == ["tests/**", "**/*.spec.ts", "packages/legacy"]