From c653a3ae80dad83f741aa699c0b164d38005b2ac Mon Sep 17 00:00:00 2001
From: Arsh Verma <arshverma.dev@gmail.com>
Date: Thu, 21 May 2026 13:37:20 +0530
Subject: [PATCH] Potential fix for code scanning alert no. 21: Uncontrolled
 data used in path expression

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 sentinelops-backend/app/services/local_git_service.py | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/sentinelops-backend/app/services/local_git_service.py b/sentinelops-backend/app/services/local_git_service.py
index 825f98b..9499ba8 100644
--- a/sentinelops-backend/app/services/local_git_service.py
+++ b/sentinelops-backend/app/services/local_git_service.py
@@ -136,7 +136,13 @@ def _validate_repo_path_for_linking(self, repo_path: str) -> str:
             return ""
         if not os.path.isdir(normalized):
             return ""
-        if not os.path.isdir(os.path.join(normalized, ".git")):
+        git_dir = os.path.realpath(os.path.join(normalized, ".git"))
+        try:
+            if os.path.commonpath([git_dir, normalized]) != normalized:
+                return ""
+        except ValueError:
+            return ""
+        if not os.path.isdir(git_dir):
             return ""
         return normalized