From f41db6d196429c0564c48cc00a5b49c11874af91 Mon Sep 17 00:00:00 2001
From: Arsh Verma <arshverma.dev@gmail.com>
Date: Thu, 21 May 2026 13:40:36 +0530
Subject: [PATCH] Potential fix for code scanning alert no. 23: Uncontrolled
 data used in path expression

Co-authored-by: Arsh Verma <arshverma.dev@gmail.com>

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 sentinelops-backend/app/services/local_git_service.py | 10 +++-------
 1 file changed, 3 insertions(+), 7 deletions(-)

diff --git a/sentinelops-backend/app/services/local_git_service.py b/sentinelops-backend/app/services/local_git_service.py
index 9499ba8..6c9a40e 100644
--- a/sentinelops-backend/app/services/local_git_service.py
+++ b/sentinelops-backend/app/services/local_git_service.py
@@ -136,13 +136,9 @@ def _validate_repo_path_for_linking(self, repo_path: str) -> str:
             return ""
         if not os.path.isdir(normalized):
             return ""
-        git_dir = os.path.realpath(os.path.join(normalized, ".git"))
-        try:
-            if os.path.commonpath([git_dir, normalized]) != normalized:
-                return ""
-        except ValueError:
-            return ""
-        if not os.path.isdir(git_dir):
+        git_dir = os.path.join(normalized, ".git")
+        # Require a real .git directory inside the repository path and reject symlinks.
+        if not os.path.isdir(git_dir) or os.path.islink(git_dir):
             return ""
         return normalized