Skip to content

Fix path traversal vulnerability in FilterService.GetFilterJaml#10

Closed
Copilot wants to merge 1 commit intofeat/stabilize-local-dev-pathsfrom
copilot/sub-pr-1-another-one
Closed

Fix path traversal vulnerability in FilterService.GetFilterJaml#10
Copilot wants to merge 1 commit intofeat/stabilize-local-dev-pathsfrom
copilot/sub-pr-1-another-one

Conversation

Copy link

Copilot AI commented Jan 19, 2026
edited
Loading

The path traversal protection in GetFilterJaml was incomplete. Path.GetFileNameWithoutExtension("../../../etc/passwd.jaml") returns "../../../etc/passwd", leaving path separators intact since they're valid filename characters on some platforms.

Changes

  • Use Path.GetFileName() before Path.GetFileNameWithoutExtension() to strip directory components first
  • Add explicit validation that sanitized name contains no path separators after processing
// Before: vulnerable to path traversal
var safeName = Path.GetFileNameWithoutExtension(filterId);

// After: strips directory parts, then extension
var safeName = Path.GetFileNameWithoutExtension(Path.GetFileName(filterId));
// Then validate no separators remain
if (safeName.Contains(Path.DirectorySeparatorChar) || safeName.Contains(Path.AltDirectorySeparatorChar))
    return string.Empty;

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

Copilot AI mentioned this pull request Jan 19, 2026
Closed
Copilot AI changed the title [WIP] WIP: Address feedback on local dev paths stabilization Fix path traversal vulnerability in FilterService.GetFilterJaml Jan 19, 2026
Copilot AI requested a review from joirunner January 19, 2026 22:32
@joirunner joirunner marked this pull request as ready for review January 19, 2026 22:33
Copilot AI review requested due to automatic review settings January 19, 2026 22:33
Copilot AI reviewed Jan 19, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot wasn't able to review any files in this pull request.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@joirunner joirunner closed this Jan 19, 2026
@joirunner joirunner deleted the copilot/sub-pr-1-another-one branch January 19, 2026 22:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@joirunner joirunner Awaiting requested review from joirunner

Assignees

@joirunner joirunner

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@joirunner