From 4e2736de01aeb467fda11802d69a489442cd829f Mon Sep 17 00:00:00 2001
From: Arsh Verma <arshverma.dev@gmail.com>
Date: Fri, 22 May 2026 02:24:00 +0530
Subject: [PATCH 1/2] Potential fix for code scanning alert no. 27:
 Uncontrolled data used in path expression

Co-authored-by: Arsh Verma <arshverma.dev@gmail.com>

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 sentinelops-backend/app/services/local_git_service.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/sentinelops-backend/app/services/local_git_service.py b/sentinelops-backend/app/services/local_git_service.py
index 4a29328..1679ac1 100644
--- a/sentinelops-backend/app/services/local_git_service.py
+++ b/sentinelops-backend/app/services/local_git_service.py
@@ -135,6 +135,9 @@ def _validate_repo_path_for_linking(self, repo_path: str) -> str:
             return ""
         if not self._is_within_allowed_root(normalized):
             return ""
+        # Do not allow linking via symlinked repository directories.
+        if os.path.islink(normalized):
+            return ""
         if not os.path.isdir(normalized):
             return ""
         git_dir = os.path.join(normalized, ".git")

From 50d1d3f3a9e1856edf8d3315312bb4ce6ee2676e Mon Sep 17 00:00:00 2001
From: Arsh Verma <arshverma.dev@gmail.com>
Date: Fri, 22 May 2026 02:26:40 +0530
Subject: [PATCH 2/2] Potential fix for pull request finding 'CodeQL /
 Uncontrolled data used in path expression'

Co-authored-by: Arsh Verma <arshverma.dev@gmail.com>

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 .../app/services/local_git_service.py              | 14 ++++++--------
 1 file changed, 6 insertions(+), 8 deletions(-)

diff --git a/sentinelops-backend/app/services/local_git_service.py b/sentinelops-backend/app/services/local_git_service.py
index 1679ac1..1e53001 100644
--- a/sentinelops-backend/app/services/local_git_service.py
+++ b/sentinelops-backend/app/services/local_git_service.py
@@ -109,16 +109,14 @@ def _validate_repo_path_for_fs_access(
     def _is_within_allowed_root(self, normalized_path: str) -> bool:
         """Return True if normalized_path is inside configured allowed repo root."""
         try:
-            if (
-                not ALLOWED_REPO_ROOT
-                or not os.path.isabs(ALLOWED_REPO_ROOT)
-                or not os.path.isdir(ALLOWED_REPO_ROOT)
-            ):
+            if not ALLOWED_REPO_ROOT:
                 return False
-            return (
-                os.path.commonpath([normalized_path, ALLOWED_REPO_ROOT])
-                == ALLOWED_REPO_ROOT
+            allowed_root = os.path.realpath(
+                os.path.abspath(os.path.expanduser(ALLOWED_REPO_ROOT))
             )
+            if not os.path.isabs(allowed_root) or not os.path.isdir(allowed_root):
+                return False
+            return os.path.commonpath([normalized_path, allowed_root]) == allowed_root
         except ValueError:
             return False