Skip to content

Ngwpc 9962 sanitize inputs try new branch#72

Closed
danielcumpton wants to merge 3 commits intomainfrom
ngwpc-9962_sanitize_inputs_try_new_branch
Closed

Ngwpc 9962 sanitize inputs try new branch#72
danielcumpton wants to merge 3 commits intomainfrom
ngwpc-9962_sanitize_inputs_try_new_branch

Conversation

@danielcumpton
Copy link

@danielcumpton danielcumpton commented Mar 20, 2026

[Short description explaining the high-level reason for the pull request]

Additions

The temporary path for storing a subset geopackage uses the id from the API input in the filename. This was sanitized by only allowing letters and numbers, normalizing the path, and checking against the already defined temp directory root.

Removals

Changes

Testing

Screenshots

Notes

Todos

Checklist

  • PR has an informative and human-readable title
  • Changes are limited to a single goal (no scope creep)
  • Code can be automatically merged (no conflicts)
  • Code follows project standards (link if applicable)
  • Passes all existing automated tests
  • Any change in functionality is tested
  • New functions are documented (with a description, list of inputs, and expected output)
  • Placeholder code is flagged / future todos are captured in comments
  • Visually tested in supported browsers and devices (see checklist below 👇)
  • Project documentation has been updated (including the "Unreleased" section of the CHANGELOG)
  • Reviewers requested with the Reviewers tool ➡️

Testing checklist

Target Environment support

  • Windows
  • Linux
  • Browser

Accessibility

  • Keyboard friendly
  • Screen reader friendly

Other

  • Is useable without CSS
  • Is useable without JS
  • Flexible from small to large screens
  • No linting errors or warnings
  • JavaScript tests are passing

@danielcumpton danielcumpton requested a review from dylanlee March 20, 2026 15:32
@danielcumpton danielcumpton self-assigned this Mar 20, 2026
github-advanced-security[bot]
github-advanced-security bot found potential problems Mar 20, 2026
View reviewed changes
app/routers/hydrofabric/router.py
#create sanitized path and filename
identifier_clean = re.sub(r"[^A-Za-z0-9_]", "_", identifier)
tmp_path = temp_dir / f"subset_{identifier_clean}_{unique_id}.gpkg"
tmp_path = tmp_path.resolve()

Check failure

Code scanning / CodeQL

Uncontrolled data used in path expression High

This path depends on a
user-provided value
Loading
.

Copilot Autofix

AI 6 days ago

Copilot could not generate an autofix suggestion

Copilot could not generate an autofix suggestion for this alert. Try pushing a new commit or if the problem persists contact support.

dylanlee
dylanlee reviewed Mar 23, 2026
View reviewed changes
Copy link

@dylanlee dylanlee left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

these changes were incoporated into main as part of #73 closing PR

@dylanlee dylanlee closed this Mar 23, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dylanlee dylanlee dylanlee left review comments

Assignees

@danielcumpton danielcumpton

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@danielcumpton @dylanlee