Open
Conversation
Instead of assuming /24 for all discovered devices, now parses the CIDR prefix from the scanner's configured address (e.g., "192.168.1.12/22:47808") and uses that prefix length for devices on the local network. Falls back to /24 only when no local subnet info is available. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Enhances local subnet detection by querying the operating system's network interfaces (via ifconfig/ip addr) to find the actual netmask for the scanner's IP address. This ensures accurate subnet detection even when the configured address uses a different CIDR notation. - Adds _get_system_interfaces() to parse ifconfig (macOS) and ip addr (Linux) - Adds _detect_local_subnet() to match scanner IP to system interfaces - Removes conflicting subnets from config when detected subnet differs - Falls back to address config CIDR if interface detection fails Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
…o merge-cristian-and-jackson-fixes
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
|
|
||
| try: | ||
| return FileResponse(ttl_filepath, filename=ttl_filename) | ||
| except Exception as e: |
Check failure
Code scanning / CodeQL
Uncontrolled data used in path expression High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 24 days ago
In general, to fix uncontrolled file path usage you should: (1) treat all user-provided path segments as untrusted, (2) resolve them against a known safe root directory using os.path.join and os.path.normpath or os.path.realpath, and (3) verify that the normalized path is still inside the root directory. Optionally, you can further constrain the input so that it does not contain path separators or special characters, turning it into a simple filename rather than an arbitrary path.
For this code, the best minimal fix is to harden get_file_path so that it only ever returns paths strictly within the agent’s data directory, and only for simple filenames. Concretely:
- Reject
file_namevalues that contain path separators (/oros.sep), which are not needed here because the endpoint expects “Name of the TTL comparison file to download (including .ttl extension)”, not nested paths. - When a matching file is found by
os.walk, compute the candidate path, normalize it withos.path.normpath, and verify it is still underfolder_pathby checking the common prefix viaos.path.commonpath([folder_path, full_path]) == folder_path. Only return the path if this check passes.
These changes are all inGrasshopper/grasshopper/api.py, withinget_file_path, and require no new imports becauseosis already imported.
Suggested changeset
1
Grasshopper/grasshopper/api.py
| @@ -304,7 +304,15 @@ | ||
|
|
||
| Raises: | ||
| FileNotFoundError: If the specified folder doesn't exist | ||
| HTTPException: If an invalid file name is provided | ||
| """ | ||
| # Disallow path separators in the file name to prevent directory traversal | ||
| if os.path.sep in file_name or (os.path.altsep and os.path.altsep in file_name): | ||
| raise HTTPException( | ||
| status_code=status.HTTP_400_BAD_REQUEST, | ||
| detail="Invalid file name", | ||
| ) | ||
|
|
||
| agent_data_path = get_agent_data_path(request) | ||
| folder_path = os.path.join(agent_data_path, folder) | ||
| if not os.path.exists(folder_path): | ||
| @@ -314,7 +321,14 @@ | ||
|
|
||
| for root, dirs, files in os.walk(folder_path): | ||
| if file_name in files: | ||
| return os.path.join(root, file_name) | ||
| candidate_path = os.path.normpath(os.path.join(root, file_name)) | ||
| # Ensure the resolved path is still within the expected folder | ||
| if os.path.commonpath([folder_path, candidate_path]) != folder_path: | ||
| raise HTTPException( | ||
| status_code=status.HTTP_400_BAD_REQUEST, | ||
| detail="Invalid file path", | ||
| ) | ||
| return candidate_path | ||
|
|
||
| return None | ||
|
|
Copilot is powered by AI and may make mistakes. Always verify output.
Initialize agent_data_path in __init__ instead of onstart() to fix AttributeError when the web server starts. The configure() callback can be called before onstart() (per its docstring), and when webapp is enabled, it spawns _start_server() which accesses self.agent_data_path - but that was only being set in onstart(). This caused: AttributeError: 'Grasshopper' object has no attribute 'agent_data_path' Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add scavenge scan
Fix duplicate vendor ID issues on startup
Fix router and routed devices merge
Frontend and API fixes/improvements
Updated dependencies