Autofix: Code scanning alert #3#5
Conversation
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| logging.basicConfig(level=logging.INFO, format="%(asctime)s %(levelname)s %(message)s") | ||
|
|
||
| cfg = json.loads(Path(args.config).read_text(encoding="utf-8")) | ||
| config_path = Path(args.config).expanduser().resolve() |
Check failure
Code scanning / CodeQL
Uncontrolled data used in path expression High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 4 months ago
General approach: validate or constrain the user-supplied config path before using it to access the file system. Typical strategies are: restrict it to a known base directory, ensure it’s not absolute, and/or enforce a naming pattern or extension; then use resolve() and verify the final path is within the allowed base.
Best fit here with minimal functional change: keep accepting a --config path, but (1) interpret it relative to the current working directory when it’s not absolute, (2) normalize it, and (3) optionally enforce that it ends with .json (since the code expects JSON). We can also log a clear error if the path is suspicious or invalid. We already use Path and .resolve(), so we don’t need new imports or libraries.
Concrete changes in scripts/apply_policy.py:
- Around line 69, replace the direct
config_path = Path(args.config).expanduser().resolve()with a small block that:- Builds an initial
Pathfromargs.config. - Optionally enforces a simple extension check (e.g.,
.json). - Resolves the path.
- Builds an initial
- Keep the existing
is_file()check and subsequentread_textlogic the same, so functionality is preserved except for the added validation.
No new helper functions or external imports are required; everything can be done in place using pathlib.Path.
| @@ -66,7 +66,13 @@ | ||
|
|
||
| logging.basicConfig(level=logging.INFO, format="%(asctime)s %(levelname)s %(message)s") | ||
|
|
||
| config_path = Path(args.config).expanduser().resolve() | ||
| raw_config_path = Path(args.config) | ||
| # Basic validation for the configuration file path | ||
| if raw_config_path.suffix and raw_config_path.suffix.lower() != ".json": | ||
| log.error("Configuration file must have a .json extension: %s", raw_config_path) | ||
| return 1 | ||
|
|
||
| config_path = raw_config_path.expanduser().resolve() | ||
| if not config_path.is_file(): | ||
| log.error("Configuration file does not exist or is not a file: %s", config_path) | ||
| return 1 |
2 participants
Automated autofix campaign run at 2026-01-18T23:40:42Z.
Alert: https://github.com/Notoriousjayy/ghas-code-scanning-toolkit/security/code-scanning/3