Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix code scanning alert no. 1: Uncontrolled data used in path expression #166

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

CNSeniorious000
Copy link
Member

@CNSeniorious000 CNSeniorious000 commented Sep 25, 2024

Fixes https://github.com/promplate/demo/security/code-scanning/1
Fixes #119

To fix the problem, we need to ensure that the constructed file path remains within a safe root directory. This can be achieved by normalizing the path and checking that it starts with the root directory. We will use os.path.normpath to normalize the path and then verify that the resulting path starts with the root directory.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@@ -38,7 +38,10 @@
try:
return DotTemplate.read(glob()[stem])
except KeyError:
if (root / stem).is_dir():
fullpath = (root / stem).resolve()

Check failure

Code scanning / CodeQL

Uncontrolled data used in path expression High

This path depends on a
user-provided value
.

Copilot Autofix AI 3 months ago

To fix the problem, we need to ensure that the constructed file path is properly normalized before checking if it is within the root directory. This involves using os.path.normpath to normalize the path and then verifying that the normalized path starts with the root directory.

  1. Normalize the constructed file path using os.path.normpath.
  2. Check if the normalized path starts with the root directory.
  3. If the path is not within the root directory, raise an exception.
Suggested changeset 1
src/utils/load.py

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/src/utils/load.py b/src/utils/load.py
--- a/src/utils/load.py
+++ b/src/utils/load.py
@@ -1,2 +1,3 @@
 from pathlib import Path
+import os
 from re import sub
@@ -41,2 +42,3 @@
         fullpath = (root / stem).resolve()
+        fullpath = Path(os.path.normpath(fullpath))
         if not str(fullpath).startswith(str(root.resolve())):
EOF
@@ -1,2 +1,3 @@
from pathlib import Path
import os
from re import sub
@@ -41,2 +42,3 @@
fullpath = (root / stem).resolve()
fullpath = Path(os.path.normpath(fullpath))
if not str(fullpath).startswith(str(root.resolve())):
Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No. os.path is not recommended to be used in modern python projects.

fullpath = (root / stem).resolve()
if not str(fullpath).startswith(str(root.resolve())):
raise Exception("Access to the path is not allowed")
if fullpath.is_dir():

Check failure

Code scanning / CodeQL

Uncontrolled data used in path expression High

This path depends on a
user-provided value
.

Copilot Autofix AI 3 months ago

To fix the problem, we need to ensure that the constructed file path is securely validated before being used. This involves normalizing the path and ensuring it is contained within a safe root directory. We will use os.path.normpath to normalize the path and then check that the normalized path starts with the root directory.

  1. Normalize the path using os.path.normpath.
  2. Ensure that the normalized path starts with the root directory.
  3. Update the _load_template function in src/utils/load.py to include these checks.
Suggested changeset 1
src/utils/load.py

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/src/utils/load.py b/src/utils/load.py
--- a/src/utils/load.py
+++ b/src/utils/load.py
@@ -1,2 +1,3 @@
 from pathlib import Path
+import os
 from re import sub
@@ -40,6 +41,6 @@
     except KeyError:
-        fullpath = (root / stem).resolve()
-        if not str(fullpath).startswith(str(root.resolve())):
+        fullpath = os.path.normpath((root / stem).resolve())
+        if not fullpath.startswith(str(root.resolve())):
             raise Exception("Access to the path is not allowed")
-        if fullpath.is_dir():
+        if Path(fullpath).is_dir():
             return getattr(components, stem)
EOF
@@ -1,2 +1,3 @@
from pathlib import Path
import os
from re import sub
@@ -40,6 +41,6 @@
except KeyError:
fullpath = (root / stem).resolve()
if not str(fullpath).startswith(str(root.resolve())):
fullpath = os.path.normpath((root / stem).resolve())
if not fullpath.startswith(str(root.resolve())):
raise Exception("Access to the path is not allowed")
if fullpath.is_dir():
if Path(fullpath).is_dir():
return getattr(components, stem)
Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Fix code scanning alert - Uncontrolled data used in path expression
1 participant