Skip to content

fix: Potential fix for code scanning alert no. 77: Uncontrolled data used in path expression #422

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 2 commits into from
Closed

fix: Potential fix for code scanning alert no. 77: Uncontrolled data used in path expression #422

Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
b4a0740
Potential fix for code scanning alert no. 77: Uncontrolled data used …
filipchristiansen Jul 15, 2025
f190606
fix
filipchristiansen Jul 15, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions src/gitingest/query_parser.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -327,7 +327,10 @@ def _parse_local_dir_path(path_str: str) -> IngestionQuery:
A dictionary containing the parsed details of the file path.

"""
root_path = TMP_BASE_PATH.resolve()

This comment was marked as outdated.

Sign in to view

path_obj = Path(path_str).resolve()
if os.path.commonpath([root_path, path_obj]) != str(root_path):
Copy link

Copilot AI Jul 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The comparison converts root_path to string but uses the Path object directly in the commonpath call. This could lead to inconsistent behavior. Consider using str(root_path) consistently or compare Path objects directly.

Suggested change
if os.path.commonpath([root_path, path_obj]) != str(root_path):
if os.path.commonpath([str(root_path), str(path_obj)]) != str(root_path):

Copilot uses AI. Check for mistakes.
raise InvalidPatternError(f"Path {path_str} escapes the allowed root directory.")
Copy link

Copilot AI Jul 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The path validation logic has a potential issue: os.path.commonpath() can raise ValueError if the paths are on different drives (Windows) or if the list is empty. Consider wrapping this in a try-except block and also verify that both paths exist before comparison.

Suggested change
if os.path.commonpath([root_path, path_obj]) != str(root_path):
raise InvalidPatternError(f"Path {path_str} escapes the allowed root directory.")
# Ensure both paths exist
if not root_path.exists() or not path_obj.exists():
raise InvalidPatternError(f"One or both paths do not exist: {root_path}, {path_obj}")
# Check if path_obj is within root_path
try:
if os.path.commonpath([root_path, path_obj]) != str(root_path):
raise InvalidPatternError(f"Path {path_str} escapes the allowed root directory.")
except ValueError as e:
raise InvalidPatternError(f"Invalid path comparison: {e}")

Copilot uses AI. Check for mistakes.
slug = path_obj.name if path_str == "." else path_str.strip("/")
return IngestionQuery(local_path=path_obj, slug=slug, id=str(uuid.uuid4()))

Expand Down
Loading