Fix home directory check in shell scripts to handle tilde (~) input

[Copilot]

Problem

The shell scripts for wallet extension preparation (prepare-phantom.sh, prepare-metamask.sh, prepare-coinbase.sh) had a security vulnerability in their directory validation logic. While they correctly checked for the expanded home directory path using "$TARGET_DIR" == "$HOME", they failed to handle cases where users pass the literal tilde character "~" as an argument.

The shell expands ~ to the full home directory path before the comparison in most contexts, but when passed as a literal string argument to these scripts, the comparison "$TARGET_DIR" == "~" was missing, allowing potentially dangerous operations in the user's home directory.

Solution

Added the missing "$TARGET_DIR" == "~" check to the security validation in all three wallet preparation scripts. The updated condition now properly handles both cases:

Before:

if [[ -z "$TARGET_DIR" || "$TARGET_DIR" == "/" || "$TARGET_DIR" == "$HOME" || "$TARGET_DIR" == "." || "$TARGET_DIR" == ".." ]]; then

After:

if [[ -z "$TARGET_DIR" || "$TARGET_DIR" == "/" || "$TARGET_DIR" == "~" || "$TARGET_DIR" == "$HOME" || "$TARGET_DIR" == "." || "$TARGET_DIR" == ".." ]]; then

Testing

Validated that all scripts now correctly:

• ✅ Reject "~" input with appropriate error messages
• ✅ Still reject $HOME directory as expected
• ✅ Accept safe directories like /tmp/safe-dir
• ✅ Preserve default behavior when no arguments are provided
• ✅ Pass all existing linting checks

Files Changed

• src/cli/prepare-phantom.sh - Added tilde check on line 40
• src/cli/prepare-metamask.sh - Added tilde check on line 40
• src/cli/prepare-coinbase.sh - Added tilde check on line 40
• .gitignore - Added exclusion for e2e/extensions/ directory

This fix ensures consistent security validation across all wallet preparation scripts and prevents potential misuse when users pass tilde characters as directory arguments.

Created from VS Code via the GitHub Pull Request extension.

---

💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click here to start the survey.

[joe10832]

@copilot

[Copilot]

Pull Request Overview

This PR fixes a security vulnerability in wallet extension preparation scripts by adding proper validation for the tilde (~) character in directory path checks. The scripts now correctly reject both literal ~ input and expanded home directory paths to prevent dangerous operations.

• Added "$TARGET_DIR" == "~" check to security validation logic
• Applied fix consistently across all three wallet preparation scripts
• Enhanced directory validation to handle both tilde literal and expanded home directory cases

Reviewed Changes

Copilot reviewed 3 out of 4 changed files in this pull request and generated no comments.

File	Description
src/cli/prepare-phantom.sh	Added tilde check to directory validation condition
src/cli/prepare-metamask.sh	Added tilde check to directory validation condition
src/cli/prepare-coinbase.sh	Added tilde check to directory validation condition

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}