Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Check file path prefixes #1844

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

Check file path prefixes #1844

wants to merge 1 commit into from

Conversation

ryan-pratt
Copy link
Contributor

No description provided.

@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

github-advanced-security[bot]
github-advanced-security bot found potential problems Jan 17, 2025
View reviewed changes
openc3/lib/openc3/utilities/local_mode.rb
@@ -393,7 +394,10 @@

def self.open_local_file(path, scope:)
full_path = "#{OPENC3_LOCAL_MODE_PATH}/#{scope}/targets_modified/#{path}"
return File.open(full_path, 'rb')
if File.expand_path(full_path).start_with?(OPENC3_LOCAL_MODE_PATH)
return File.open(full_path, 'rb')

Check failure

Code scanning / CodeQL

Uncontrolled data used in path expression High

This path depends on a
user-provided value
Loading
.
This path depends on a
user-provided value
Loading
.
This path depends on a
user-provided value
Loading
.
This path depends on a
user-provided value
Loading
.
This path depends on a
user-provided value
Loading
.

Copilot Autofix AI 3 days ago

To fix the problem, we need to ensure that the full_path is properly sanitized and validated before being used in file operations. This can be achieved by implementing stricter validation rules and using a whitelist of allowed patterns for the scope and path parameters.

  1. Implement a method to validate the scope and path parameters against a whitelist of allowed patterns.
  2. Use this validation method in the open_local_file method to ensure that the full_path is safe to use.
  3. Update the sanitize_params method to include additional validation rules if necessary.
Suggested changeset 1
openc3/lib/openc3/utilities/local_mode.rb

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/openc3/lib/openc3/utilities/local_mode.rb b/openc3/lib/openc3/utilities/local_mode.rb
--- a/openc3/lib/openc3/utilities/local_mode.rb
+++ b/openc3/lib/openc3/utilities/local_mode.rb
@@ -395,2 +395,3 @@
     def self.open_local_file(path, scope:)
+      return nil unless valid_scope?(scope) && valid_path?(path)
       full_path = "#{OPENC3_LOCAL_MODE_PATH}/#{scope}/targets_modified/#{path}"
@@ -585,2 +586,15 @@
     end
+    private
+
+    def self.valid_scope?(scope)
+      # Add validation logic for scope
+      # Example: only allow alphanumeric characters and underscores
+      /^[a-zA-Z0-9_]+$/.match?(scope)
+    end
+
+    def self.valid_path?(path)
+      # Add validation logic for path
+      # Example: only allow alphanumeric characters, underscores, and forward slashes
+      /^[a-zA-Z0-9_\/]+$/.match?(path) && !path.include?('..')
+    end
   end
EOF
@@ -395,2 +395,3 @@
def self.open_local_file(path, scope:)
return nil unless valid_scope?(scope) && valid_path?(path)
full_path = "#{OPENC3_LOCAL_MODE_PATH}/#{scope}/targets_modified/#{path}"
@@ -585,2 +586,15 @@
end
private

def self.valid_scope?(scope)
# Add validation logic for scope
# Example: only allow alphanumeric characters and underscores
/^[a-zA-Z0-9_]+$/.match?(scope)
end

def self.valid_path?(path)
# Add validation logic for path
# Example: only allow alphanumeric characters, underscores, and forward slashes
/^[a-zA-Z0-9_\/]+$/.match?(path) && !path.include?('..')
end
end
Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
@codecov Codecov
Copy link

codecov bot commented Jan 17, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 79.55%. Comparing base (a7788b7) to head (e3b052f).

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #1844      +/-   ##
==========================================
- Coverage   79.57%   79.55%   -0.02%     
==========================================
  Files         519      519              
  Lines       40774    40787      +13     
==========================================
+ Hits        32444    32447       +3     
- Misses       8330     8340      +10
Flag Coverage Δ
python 84.23% <ø> (-0.07%) ⬇️
ruby-api 48.72% <ø> (ø)
ruby-backend 82.59% <100.00%> (+<0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@ryan-pratt