Skip to content

fix: Potential fix for code scanning alert no. 75: Uncontrolled data used in path expression #421

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Jul 16, 2025
Merged

fix: Potential fix for code scanning alert no. 75: Uncontrolled data used in path expression #421

merged 3 commits into from
Jul 16, 2025

Conversation

filipchristiansen
Copy link
Contributor

Potential fix for https://github.com/coderamp-labs/gitingest/security/code-scanning/75

To fix this issue, we need to validate and sanitize the directory path constructed from ingest_id. This can be done by:

  1. Normalizing the path using os.path.normpath to eliminate any path traversal elements (e.g., ../).
  2. Ensuring the normalized path resides within the intended base directory (TMP_BASE_PATH) by checking that it starts with the absolute path of TMP_BASE_PATH.

This approach ensures that user-provided input cannot escape the boundaries of the intended directory structure.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

@filipchristiansen @github-advanced-security
Potential fix for code scanning alert no. 75: Uncontrolled data used …
62634b3 
…in path expression

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@filipchristiansen filipchristiansen marked this pull request as ready for review July 15, 2025 21:38
github-advanced-security[bot]
github-advanced-security bot found potential problems Jul 15, 2025
View reviewed changes
src/server/routers/ingest.py Outdated
directory = TMP_BASE_PATH / ingest_id
directory = directory.resolve()

Check failure

Code scanning / CodeQL

Uncontrolled data used in path expression High

This path depends on a
user-provided value
Loading
.

Copilot Autofix

AI 2 days ago

To fix the issue, we need to ensure that the constructed path (directory) is normalized and validated against the base directory (TMP_BASE_PATH) after normalization. This involves using os.path.realpath or pathlib.Path.resolve() to normalize the path and then verifying that the normalized path starts with the base directory. This ensures that even if the user provides a malicious ingest_id value, the resulting path cannot escape the intended directory.

Steps to implement the fix:

  1. Normalize the path using directory.resolve().
  2. Validate that the normalized path starts with the base directory (TMP_BASE_PATH) using startswith.
  3. Raise an appropriate HTTP exception if the validation fails.
Suggested changeset 1
src/server/routers/ingest.py

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/src/server/routers/ingest.py b/src/server/routers/ingest.py
--- a/src/server/routers/ingest.py
+++ b/src/server/routers/ingest.py
@@ -116,3 +116,6 @@
     directory = TMP_BASE_PATH / ingest_id
-    directory = directory.resolve()
+    try:
+        directory = directory.resolve(strict=True)
+    except FileNotFoundError:
+        raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail=f"Digest {ingest_id!r} not found")
     if not str(directory).startswith(str(TMP_BASE_PATH)):
EOF
@@ -116,3 +116,6 @@
directory = TMP_BASE_PATH / ingest_id
directory = directory.resolve()
try:
directory = directory.resolve(strict=True)
except FileNotFoundError:
raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail=f"Digest {ingest_id!r} not found")
if not str(directory).startswith(str(TMP_BASE_PATH)):
Copilot is powered by AI and may make mistakes. Always verify output.
Unable to commit as this autofix suggestion is now outdated
Copilot
Copilot AI reviewed Jul 15, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR addresses a security vulnerability (code scanning alert no. 75) related to uncontrolled data used in path expressions by implementing path validation and sanitization for the download_ingest endpoint.

  • Adds path traversal protection by resolving the directory path and validating it stays within the intended base directory
  • Implements security check to prevent directory traversal attacks through malicious ingest_id parameters
  • Raises a 403 Forbidden error when path validation fails

filipchristiansen and others added 2 commits July 16, 2025 00:03
@filipchristiansen @Copilot
Update src/server/routers/ingest.py
5090e02 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@filipchristiansen @Copilot
Update src/server/routers/ingest.py
0fed34a 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@filipchristiansen filipchristiansen changed the title Potential fix for code scanning alert no. 75: Uncontrolled data used in path expression fix: Potential fix for code scanning alert no. 75: Uncontrolled data used in path expression Jul 15, 2025
ix-56h
ix-56h approved these changes Jul 16, 2025
View reviewed changes
Copy link
Contributor

@ix-56h ix-56h left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@filipchristiansen filipchristiansen removed the request for review from NicolasIRAGNE July 16, 2025 09:06
@filipchristiansen filipchristiansen marked this pull request as draft July 16, 2025 09:06
@filipchristiansen filipchristiansen marked this pull request as ready for review July 16, 2025 09:07
@filipchristiansen filipchristiansen merged commit 9ceaf6c into main Jul 16, 2025
21 of 23 checks passed
@filipchristiansen filipchristiansen deleted the alert-autofix-75 branch July 16, 2025 18:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@ix-56h ix-56h ix-56h approved these changes

@NicolasIRAGNE NicolasIRAGNE Awaiting requested review from NicolasIRAGNE

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@filipchristiansen @ix-56h