Skip to content

Potential fix for code scanning alert no. 81: Uncontrolled data used in path expression#139

Merged
artiphishle merged 1 commit into
mainfrom
alert-autofix-81
Jan 28, 2026
Merged

Potential fix for code scanning alert no. 81: Uncontrolled data used in path expression#139
artiphishle merged 1 commit into
mainfrom
alert-autofix-81

Conversation

@artiphishle

Copy link
Copy Markdown
Owner

Potential fix for https://github.com/artiphishle/pkgviz/security/code-scanning/81

In general, to fix uncontrolled path usage you should (1) normalize the user‑supplied path, and (2) enforce that it stays within a trusted base directory (or otherwise validate it, e.g., via an allow list), before using it in filesystem APIs. This prevents directory traversal such as ../../../etc/passwd even when the application appears to be working with a “directory root”.

In this file, safeReadFileSync already implements the “normalize relative to base and check prefix” pattern for files. We should adopt a similar approach for directories: introduce a safeResolveDir helper that takes a trusted baseDir and an untrusted directoryPath, resolves the directory path against the base, and verifies that the resulting absolute path is still under baseDir (using path.resolve and a startsWith check that accounts for separators). Then, update isCppRoot, isPythonRoot, isDelphiRoot, and isKotlinRoot to use this helper instead of calling path.resolve directly on the untrusted directoryPath. This preserves existing behavior for valid inputs while adding traversal protection.

Concretely, in src/shared/utils/detectLanguage.ts:

  • Add a new helper function near safeReadFileSync, for example safeResolveDir(baseDir: string, directoryPath: string): string, that:
    • Computes const resolvedBaseDir = path.resolve(baseDir);
    • Computes const resolvedDirectoryPath = path.resolve(baseDir, directoryPath);
    • Verifies resolvedDirectoryPath starts with resolvedBaseDir + path.sep; if not, throws an error.
    • Returns resolvedDirectoryPath.
  • Decide on a base directory. Since we cannot see the rest of the code, the safest non‑breaking assumption is to treat the current working directory (process.cwd()) as the base for these language‑root checks, which matches typical “project root is under CWD” assumptions in tooling.
  • Replace in each of isCppRoot, isPythonRoot, isDelphiRoot, and isKotlinRoot the line const resolvedPath = path.resolve(directoryPath); with a call to safeResolveDir(process.cwd(), directoryPath);.

No new imports are required because we already import fs and path, and Node’s process.cwd() is globally available.


Suggested fixes powered by Copilot Autofix. Review carefully before merging.

…in path expression

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@artiphishle artiphishle marked this pull request as ready for review January 28, 2026 23:32
@artiphishle artiphishle merged commit dca795a into main Jan 28, 2026
4 checks passed
@artiphishle artiphishle deleted the alert-autofix-81 branch January 28, 2026 23:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant