Skip to content

fix: Potential fix for code scanning alert no. 10: Uncontrolled data used in path expression#15

Merged
skyoo2003 merged 3 commits intomainfrom
alert-autofix-10
Apr 19, 2026
Merged

fix: Potential fix for code scanning alert no. 10: Uncontrolled data used in path expression#15
skyoo2003 merged 3 commits intomainfrom
alert-autofix-10

Conversation

@skyoo2003
Copy link
Copy Markdown
Owner

@skyoo2003 skyoo2003 commented Apr 19, 2026

Potential fix for https://github.com/skyoo2003/devcloud/security/code-scanning/10

General fix: validate untrusted path components as components (not full paths), reject absolute/empty/traversal-like segments, then build the full path and enforce containment using path semantics (filepath.Rel).

Best concrete fix here (in internal/services/s3/store.go):

  1. Add a helper validatePathComponent(part string) error that rejects:
    • empty strings
    • "." and ".."
    • any path separator (/ or \)
  2. In safePath, validate all parts first.
  3. Replace the current HasPrefix containment check with:
    • cleanBase := filepath.Clean(fs.baseDir)
    • rel, err := filepath.Rel(cleanBase, cleaned)
    • reject when err != nil, rel == "..", or strings.HasPrefix(rel, ".."+string(filepath.Separator))
  4. Keep existing behavior otherwise (same methods and return types), no changes needed in provider.go.

No new external dependencies are needed.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

@skyoo2003 @github-advanced-security
Potential fix for code scanning alert no. 10: Uncontrolled data used …
c22f75c 
…in path expression

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@sourcery-ai
Copy link
Copy Markdown
Contributor

sourcery-ai Bot commented Apr 19, 2026
edited
Loading

Reviewer's Guide

Refines path handling in the S3 file store to validate each user-supplied path component and enforce directory containment using filepath semantics instead of prefix checks, mitigating path traversal risks flagged by code scanning alert #10.

File-Level Changes

Change Details Files
Introduce strict validation for individual path components before constructing filesystem paths.
  • Add validatePathComponent helper that rejects empty strings, ".", "..", and any component containing path separators
  • Invoke validatePathComponent for every argument passed into safePath, returning an error on the first invalid component
 internal/services/s3/store.go
Harden safePath directory containment logic using filepath.Clean and filepath.Rel instead of string prefix matching.
  • Normalize the base directory with filepath.Clean before path joining
  • Build the joined path using the cleaned base directory and then clean the result
  • Replace the HasPrefix-based containment check with a filepath.Rel-based check that rejects any path resolving outside the base directory (including traversal attempts)
 internal/services/s3/store.go
Tips and commands

Interacting with Sourcery

  • Trigger a new review: Comment @sourcery-ai review on the pull request.
  • Continue discussions: Reply directly to Sourcery's review comments.
  • Generate a GitHub issue from a review comment: Ask Sourcery to create an
    issue from a review comment by replying to it. You can also reply to a
    review comment with @sourcery-ai issue to create an issue from it.
  • Generate a pull request title: Write @sourcery-ai anywhere in the pull
    request title to generate a title at any time. You can also comment
    @sourcery-ai title on the pull request to (re-)generate the title at any time.
  • Generate a pull request summary: Write @sourcery-ai summary anywhere in
    the pull request body to generate a PR summary at any time exactly where you
    want it. You can also comment @sourcery-ai summary on the pull request to
    (re-)generate the summary at any time.
  • Generate reviewer's guide: Comment @sourcery-ai guide on the pull
    request to (re-)generate the reviewer's guide at any time.
  • Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
    pull request to resolve all Sourcery comments. Useful if you've already
    addressed all the comments and don't want to see them anymore.
  • Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
    request to dismiss all existing Sourcery reviews. Especially useful if you
    want to start fresh with a new review - don't forget to comment
    @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

  • Enable or disable review features such as the Sourcery-generated pull request
    summary, the reviewer's guide, and others.
  • Change the review language.
  • Add, remove or edit custom review instructions.
  • Adjust other review settings.

Getting Help

@github-actions github-actions Bot added the services AWS service implementations label Apr 19, 2026
@skyoo2003 skyoo2003 self-assigned this Apr 19, 2026
@skyoo2003 skyoo2003 changed the title Potential fix for code scanning alert no. 10: Uncontrolled data used in path expression fix: Potential fix for code scanning alert no. 10: Uncontrolled data used in path expression Apr 19, 2026
@skyoo2003 skyoo2003 marked this pull request as ready for review April 19, 2026 18:50
sourcery-ai[bot]
sourcery-ai Bot reviewed Apr 19, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@sourcery-ai sourcery-ai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey - I've reviewed your changes and they look great!

Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

@skyoo2003
fix: allow slashes in S3 keys for path validation
3117d71 
The previous validatePathComponent rejected any path component containing
slashes, but S3 keys legitimately use "/" as a delimiter (e.g. "a/b/c/file.txt").
Path traversal protection is already enforced by the filepath.Rel containment
check in safePath, so the slash rejection was redundant and overly strict.
@skyoo2003
fix: resolve merge conflict with main, adopt objectPath separation
79e21cf 
Adopt main's cleaner architecture: validPathComponent for strict segment
validation (accountID, bucket), and objectPath as a separate method that
allows slashes in S3 keys while still enforcing containment via filepath.Rel.
@github-actions github-actions Bot added the bug Something isn't working label Apr 19, 2026
@skyoo2003 skyoo2003 merged commit af9d4ab into main Apr 19, 2026
10 checks passed
@skyoo2003 skyoo2003 deleted the alert-autofix-10 branch April 19, 2026 23:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sourcery-ai sourcery-ai[bot] sourcery-ai[bot] left review comments

Assignees

@skyoo2003 skyoo2003

Labels

bug Something isn't working services AWS service implementations

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@skyoo2003