From 59a0c40e485b042f3dd697a9f105b9d9facd1415 Mon Sep 17 00:00:00 2001 From: Arsh Verma Date: Fri, 22 May 2026 02:34:02 +0530 Subject: [PATCH 1/2] Potential fix for code scanning alert no. 26: Uncontrolled data used in path expression Co-authored-by: Arsh Verma Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- sentinelops-backend/app/services/local_git_service.py | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/sentinelops-backend/app/services/local_git_service.py b/sentinelops-backend/app/services/local_git_service.py index 84afb30..f143e23 100644 --- a/sentinelops-backend/app/services/local_git_service.py +++ b/sentinelops-backend/app/services/local_git_service.py @@ -142,8 +142,14 @@ def _validate_repo_path_for_linking(self, repo_path: str) -> str: if not os.path.isdir(normalized): return "" git_dir = os.path.join(normalized, ".git") + git_dir_real = os.path.realpath(git_dir) + try: + if os.path.commonpath([git_dir_real, normalized]) != normalized: + return "" + except ValueError: + return "" # Require a real .git directory inside the repository path and reject symlinks. - if not os.path.isdir(git_dir) or os.path.islink(git_dir): + if not os.path.isdir(git_dir_real) or os.path.islink(git_dir_real): return "" return normalized From 671e2cf28275372868e6815c7406256b16da08b6 Mon Sep 17 00:00:00 2001 From: Arsh Verma Date: Fri, 22 May 2026 02:37:32 +0530 Subject: [PATCH 2/2] Potential fix for pull request finding 'CodeQL / Uncontrolled data used in path expression' Co-authored-by: Arsh Verma Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- .../app/services/local_git_service.py | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/sentinelops-backend/app/services/local_git_service.py b/sentinelops-backend/app/services/local_git_service.py index f143e23..39d87ce 100644 --- a/sentinelops-backend/app/services/local_git_service.py +++ b/sentinelops-backend/app/services/local_git_service.py @@ -136,15 +136,25 @@ def _validate_repo_path_for_linking(self, repo_path: str) -> str: return "" if not self._is_within_allowed_root(normalized): return "" + + normalized_real = os.path.realpath(normalized) + if normalized_real != normalized: + return "" + # Do not allow linking via symlinked repository directories. if os.path.islink(normalized): return "" if not os.path.isdir(normalized): return "" + git_dir = os.path.join(normalized, ".git") git_dir_real = os.path.realpath(git_dir) + normalized_prefix = normalized + os.sep try: - if os.path.commonpath([git_dir_real, normalized]) != normalized: + if not ( + git_dir_real == normalized + or git_dir_real.startswith(normalized_prefix) + ): return "" except ValueError: return ""