Skip to content

Fix Path.Combine security warnings and MSTest assertion code smells#3

Merged
Malcolmnixon merged 4 commits intomainfrom
copilot/fix-code-quality-path-combine
Feb 10, 2026
Merged

Fix Path.Combine security warnings and MSTest assertion code smells#3
Malcolmnixon merged 4 commits intomainfrom
copilot/fix-code-quality-path-combine

Conversation

Copy link
Contributor

Copilot AI commented Feb 10, 2026
edited
Loading

Addresses CodeQL path traversal warnings and MSTest analyzer recommendations.

Changes

Path Security

  • Added PathHelpers.SafePathCombine that validates relative paths before combining:
    • Rejects absolute paths and .. sequences
    • Verifies combined path stays within base directory using Path.GetFullPath
  • Replaced 4 Path.Combine calls (3 in Validation.cs, 1 in IntegrationTests.cs)
  • Updated CodeQL config to exclude validated usage in PathHelpers
// Before
var logFile = Path.Combine(tempDir.DirectoryPath, "test.log");

// After
var logFile = PathHelpers.SafePathCombine(tempDir.DirectoryPath, "test.log");

Test Assertions

  • Updated 21 assertions across test files to use MSTest-specific methods:
    • Assert.IsTrue(x.Contains(y))Assert.Contains(y, x)
    • Assert.IsFalse(x.Contains(y))Assert.DoesNotContain(y, x)
  • Improves failure diagnostics and aligns with MSTest best practices
Original prompt

This section details on the original issue you should resolve

<issue_title>Code Quality</issue_title>
<issue_description>There are numerous code-quality issues reported for the project. Those around System.IO.Path.Combine could be handled using a SafePathCombine like https://github.com/demaconsulting/BuildMark/blob/main/src/DemaConsulting.BuildMark/PathHelpers.cs and its associated tests and the codeql-config.yml file.

Please fix the following issues:

src/DemaConsulting.TemplateDotNetTool/Validation.cs(106): warning [cs/path-combine] Call to
‘System.IO.Path.Combine’ may silently drop its earlier arguments.  
src/DemaConsulting.TemplateDotNetTool/Validation.cs(174): warning [cs/path-combine] Call to
‘System.IO.Path.Combine’ may silently drop its earlier arguments.  
src/DemaConsulting.TemplateDotNetTool/Validation.cs(332): warning [cs/path-combine] Call to
‘System.IO.Path.Combine’ may silently drop its earlier arguments.  
test/DemaConsulting.TemplateDotNetTool.Tests/IntegrationTests.cs(40): warning [cs/path-combine] Call to
‘System.IO.Path.Combine’ may silently drop its earlier arguments.  
test/DemaConsulting.TemplateDotNetTool.Tests/ContextTests.cs(163): INFO CODE_SMELL
[external_roslyn:MSTEST0037] Use ‘Assert.Contains’ instead of ‘Assert.IsTrue’  
test/DemaConsulting.TemplateDotNetTool.Tests/ContextTests.cs(181): INFO CODE_SMELL
[external_roslyn:MSTEST0037] Use ‘Assert.Contains’ instead of ‘Assert.IsTrue’  
test/DemaConsulting.TemplateDotNetTool.Tests/ContextTests.cs(200): INFO CODE_SMELL
[external_roslyn:MSTEST0037] Use ‘Assert.Contains’ instead of ‘Assert.IsTrue’  
test/DemaConsulting.TemplateDotNetTool.Tests/ContextTests.cs(224): INFO CODE_SMELL
[external_roslyn:MSTEST0037] Use ‘Assert.DoesNotContain’ instead of ‘Assert.IsFalse’  
test/DemaConsulting.TemplateDotNetTool.Tests/IntegrationTests.cs(63): INFO CODE_SMELL
[external_roslyn:MSTEST0037] Use ‘Assert.DoesNotContain’ instead of ‘Assert.IsFalse’  
test/DemaConsulting.TemplateDotNetTool.Tests/IntegrationTests.cs(64): INFO CODE_SMELL
[external_roslyn:MSTEST0037] Use ‘Assert.DoesNotContain’ instead of ‘Assert.IsFalse’  
test/DemaConsulting.TemplateDotNetTool.Tests/IntegrationTests.cs(84): INFO CODE_SMELL
[external_roslyn:MSTEST0037] Use ‘Assert.Contains’ instead of ‘Assert.IsTrue’  
test/DemaConsulting.TemplateDotNetTool.Tests/IntegrationTests.cs(85): INFO CODE_SMELL
[external_roslyn:MSTEST0037] Use ‘Assert.Contains’ instead of ‘Assert.IsTrue’  
test/DemaConsulting.TemplateDotNetTool.Tests/IntegrationTests.cs(86): INFO CODE_SMELL
[external_roslyn:MSTEST0037] Use ‘Assert.Contains’ instead of ‘Assert.IsTrue’  
test/DemaConsulting.TemplateDotNetTool.Tests/IntegrationTests.cs(106): INFO CODE_SMELL
[external_roslyn:MSTEST0037] Use ‘Assert.Contains’ instead of ‘Assert.IsTrue’  
test/DemaConsulting.TemplateDotNetTool.Tests/IntegrationTests.cs(107): INFO CODE_SMELL
[external_roslyn:MSTEST0037] Use ‘Assert.Contains’ instead of ‘Assert.IsTrue’  
test/DemaConsulting.TemplateDotNetTool.Tests/IntegrationTests.cs(138): INFO CODE_SMELL
[external_roslyn:MSTEST0037] Use ‘Assert.Contains’ instead of ‘Assert.IsTrue’  
test/DemaConsulting.TemplateDotNetTool.Tests/IntegrationTests.cs(139): INFO CODE_SMELL
[external_roslyn:MSTEST0037] Use ‘Assert.Contains’ instead of ‘Assert.IsTrue’  
test/DemaConsulting.TemplateDotNetTool.Tests/IntegrationTests.cs(195): INFO CODE_SMELL
[external_roslyn:MSTEST0037] Use ‘Assert.Contains’ instead of ‘Assert.IsTrue’  
test/DemaConsulting.TemplateDotNetTool.Tests/IntegrationTests.cs(221): INFO CODE_SMELL
[external_roslyn:MSTEST0037] Use ‘Assert.Contains’ instead of ‘Assert.IsTrue’  
test/DemaConsulting.TemplateDotNetTool.Tests/ProgramTests.cs(45): INFO CODE_SMELL
[external_roslyn:MSTEST0037] Use ‘Assert.DoesNotContain’ instead of ‘Assert.IsFalse’  
test/DemaConsulting.TemplateDotNetTool.Tests/ProgramTests.cs(46): INFO CODE_SMELL
[external_roslyn:MSTEST0037] Use ‘Assert.DoesNotContain’ instead of ‘Assert.IsFalse’  
test/DemaConsulting.TemplateDotNetTool.Tests/ProgramTests.cs(70): INFO CODE_SMELL
[external_roslyn:MSTEST0037] Use ‘Assert.Contains’ instead of ‘Assert.IsTrue’  
test/DemaConsulting.TemplateDotNetTool.Tests/ProgramTests.cs(71): INFO CODE_SMELL
[external_roslyn:MSTEST0037] Use ‘Assert.Contains’ instead of ‘Assert.IsTrue’  
test/DemaConsulting.TemplateDotNetTool.Tests/ProgramTests.cs(72): INFO CODE_SMELL
[external_roslyn:MSTEST0037] Use ‘Assert.Contains’ instead of ‘Assert.IsTrue’  
test/DemaConsulting.TemplateDotNetTool.Tests/ProgramTests.cs(73): INFO CODE_SMELL
[external_roslyn:MSTEST0037] Use ‘Assert.Contains’ instead of ‘Assert.IsTrue’  
test/DemaConsulting.TemplateDotNetTool.Tests/ProgramTests.cs(97): INFO CODE_SMELL
[external_roslyn:MSTEST0037] Use ‘Assert.Contains’ instead of ‘Assert.IsTrue’  
test/DemaConsulting.TemplateDotNetTool.Tests/ProgramTests.cs(121): INFO CODE_SMELL
[external_roslyn:MSTEST0037] Use ‘Assert.Contains’ instead of ‘Assert.IsTrue’  
test/DemaConsulting.TemplateDotNetTool.Tests/ProgramTests....

</details>



<!-- START COPILOT CODING AGENT SUFFIX -->

- Fixes demaconsulting/TemplateDotNetTool#2

<!-- START COPILOT CODING AGENT TIPS -->
---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more [Copilot coding agent tips](https://gh.io/copilot-coding-agent-tips) in the docs.

@Malcolmnixon Malcolmnixon linked an issue Feb 10, 2026 that may be closed by this pull request
Code Quality #2
Closed
Copilot AI and others added 3 commits February 10, 2026 17:43
@Malcolmnixon
Add PathHelpers with SafePathCombine and update code to use it
8a12e3d 
Co-authored-by: Malcolmnixon <1863707+Malcolmnixon@users.noreply.github.com>
@Malcolmnixon
Update test assertions to use Assert.Contains and Assert.DoesNotContain
1fb9727 
Co-authored-by: Malcolmnixon <1863707+Malcolmnixon@users.noreply.github.com>
@Malcolmnixon
Improve PathHelpers validation with GetFullPath check
5d54f5f 
Co-authored-by: Malcolmnixon <1863707+Malcolmnixon@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix code quality issues with System.IO.Path.Combine Fix Path.Combine security warnings and MSTest assertion code smells Feb 10, 2026
Copilot AI requested a review from Malcolmnixon February 10, 2026 17:50
@Malcolmnixon Malcolmnixon marked this pull request as ready for review February 10, 2026 17:59
@Malcolmnixon Malcolmnixon merged commit 1bf0033 into main Feb 10, 2026
11 checks passed
@Malcolmnixon Malcolmnixon deleted the copilot/fix-code-quality-path-combine branch February 10, 2026 17:59
Copilot AI mentioned this pull request Feb 20, 2026
Merged
23 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@Malcolmnixon Malcolmnixon Malcolmnixon approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@Malcolmnixon Malcolmnixon

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Code Quality

2 participants

@Malcolmnixon