From b4a0740d53f126c0c49706edf303843b6e011ff9 Mon Sep 17 00:00:00 2001 From: Filip Christiansen <22807962+filipchristiansen@users.noreply.github.com> Date: Tue, 15 Jul 2025 23:38:19 +0200 Subject: [PATCH 1/2] Potential fix for code scanning alert no. 77: Uncontrolled data used in path expression Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- src/gitingest/query_parser.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/gitingest/query_parser.py b/src/gitingest/query_parser.py index 5fabb226..922877ce 100644 --- a/src/gitingest/query_parser.py +++ b/src/gitingest/query_parser.py @@ -327,7 +327,10 @@ def _parse_local_dir_path(path_str: str) -> IngestionQuery: A dictionary containing the parsed details of the file path. """ + root_path = TMP_BASE_PATH.resolve() path_obj = Path(path_str).resolve() + if os.path.commonpath([root_path, path_obj]) != str(root_path): + raise InvalidPatternError(f"Path {path_str} escapes the allowed root directory.") slug = path_obj.name if path_str == "." else path_str.strip("/") return IngestionQuery(local_path=path_obj, slug=slug, id=str(uuid.uuid4())) From f190606ad590499a9d62b27133ba0b7100085d04 Mon Sep 17 00:00:00 2001 From: Filip Christiansen <22807962+filipchristiansen@users.noreply.github.com> Date: Wed, 16 Jul 2025 00:16:53 +0200 Subject: [PATCH 2/2] fix --- src/gitingest/query_parser.py | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/src/gitingest/query_parser.py b/src/gitingest/query_parser.py index 922877ce..6e37ba16 100644 --- a/src/gitingest/query_parser.py +++ b/src/gitingest/query_parser.py @@ -2,6 +2,7 @@ from __future__ import annotations +import os import re import uuid import warnings @@ -326,11 +327,17 @@ def _parse_local_dir_path(path_str: str) -> IngestionQuery: IngestionQuery A dictionary containing the parsed details of the file path. + Raises + ------ + InvalidPatternError + If the path escapes the allowed root directory. + """ root_path = TMP_BASE_PATH.resolve() path_obj = Path(path_str).resolve() if os.path.commonpath([root_path, path_obj]) != str(root_path): - raise InvalidPatternError(f"Path {path_str} escapes the allowed root directory.") + msg = f"Path {path_str} escapes the allowed root directory." + raise InvalidPatternError(msg) slug = path_obj.name if path_str == "." else path_str.strip("/") return IngestionQuery(local_path=path_obj, slug=slug, id=str(uuid.uuid4()))