chore: Potential fix for code scanning alert no. 35: Uncontrolled data used in path expression #395
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…a used in path expression Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
DerekRoberts
changed the title
Contributor
There was a problem hiding this comment.
Pull request overview
This PR addresses a path traversal vulnerability (Code Scanning Alert #35) in the Maven wrapper downloader by replacing insufficient string-based sanitization with proper path validation using the Java NIO Path API.
Key Changes:
- Removes inadequate
.replace("..", "")sanitization that could be bypassed - Implements proper path validation using
Path.resolve()andnormalize()to construct safe file paths - Adds
startsWith()check to ensure the resolved path remains within the working directory
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Addresses Copilot AI feedback by adding symlink resolution validation. This prevents path traversal attacks that could bypass directory restrictions using symlinks in parent directories. - Resolve symlinks using toRealPath() on parent directory - Validate resolved path remains within base directory - Create parent directories if they don't exist
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Potential fix for https://github.com/bcgov/quickstart-openshift-backends/security/code-scanning/35
To remediate this vulnerability, we need to properly restrict the use of the user-supplied path argument so that it cannot be used for path traversal or writing files outside a desired directory.
jarPath, create aPathobject relative to a safe base directory (such as the project root or working directory), resolve the filename, normalize the path, and check that the result is still contained within the intended base directory. If not, throw an exception and abort.main(), after receivingargs[1]and before using it to download the file.java.nio.fileclasses.Path baseDir = Paths.get("").toAbsolutePath().normalize();), and compare the resolved file's parent directory with this base. Throw an error if not contained.Suggested fixes powered by Copilot Autofix. Review carefully before merging.
Thanks for the PR!
Deployments, as required, will be available below:
Please create PRs in draft mode. Mark as ready to enable:
After merge, new images are deployed in: