From 62634b353c61f778d0458ce1e105d56f3d469806 Mon Sep 17 00:00:00 2001 From: Filip Christiansen <22807962+filipchristiansen@users.noreply.github.com> Date: Tue, 15 Jul 2025 23:37:59 +0200 Subject: [PATCH 1/3] Potential fix for code scanning alert no. 75: Uncontrolled data used in path expression Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- src/server/routers/ingest.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/server/routers/ingest.py b/src/server/routers/ingest.py index 514db272..58cf8472 100644 --- a/src/server/routers/ingest.py +++ b/src/server/routers/ingest.py @@ -112,7 +112,11 @@ async def download_ingest(ingest_id: str) -> FileResponse: - **HTTPException**: **403** - the process lacks permission to read the directory or file """ + # Normalize and validate the directory path directory = TMP_BASE_PATH / ingest_id + directory = directory.resolve() + if not str(directory).startswith(str(TMP_BASE_PATH)): + raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail=f"Invalid ingest ID: {ingest_id!r}") if not directory.is_dir(): raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail=f"Digest {ingest_id!r} not found") From 5090e027facc1d9a42d848941e047e0f1eef3316 Mon Sep 17 00:00:00 2001 From: Filip Christiansen <22807962+filipchristiansen@users.noreply.github.com> Date: Wed, 16 Jul 2025 00:03:09 +0200 Subject: [PATCH 2/3] Update src/server/routers/ingest.py Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- src/server/routers/ingest.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/server/routers/ingest.py b/src/server/routers/ingest.py index 58cf8472..501e4ac0 100644 --- a/src/server/routers/ingest.py +++ b/src/server/routers/ingest.py @@ -113,8 +113,7 @@ async def download_ingest(ingest_id: str) -> FileResponse: """ # Normalize and validate the directory path - directory = TMP_BASE_PATH / ingest_id - directory = directory.resolve() + directory = (TMP_BASE_PATH / ingest_id).resolve() if not str(directory).startswith(str(TMP_BASE_PATH)): raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail=f"Invalid ingest ID: {ingest_id!r}") From 0fed34af3f659d5679333d36d4a2e83775f51fa9 Mon Sep 17 00:00:00 2001 From: Filip Christiansen <22807962+filipchristiansen@users.noreply.github.com> Date: Wed, 16 Jul 2025 00:03:34 +0200 Subject: [PATCH 3/3] Update src/server/routers/ingest.py Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- src/server/routers/ingest.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/server/routers/ingest.py b/src/server/routers/ingest.py index 501e4ac0..521b7de0 100644 --- a/src/server/routers/ingest.py +++ b/src/server/routers/ingest.py @@ -114,7 +114,7 @@ async def download_ingest(ingest_id: str) -> FileResponse: """ # Normalize and validate the directory path directory = (TMP_BASE_PATH / ingest_id).resolve() - if not str(directory).startswith(str(TMP_BASE_PATH)): + if not str(directory).startswith(str(TMP_BASE_PATH.resolve())): raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail=f"Invalid ingest ID: {ingest_id!r}") if not directory.is_dir():