From e879c8261a6cb6ed7fd8e36a23af8d330e17ea48 Mon Sep 17 00:00:00 2001 From: Arsh Verma Date: Fri, 22 May 2026 14:18:49 +0530 Subject: [PATCH] Potential fix for code scanning alert no. 33: Uncontrolled data used in path expression Co-authored-by: Arsh Verma Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- sentinelops-backend/app/routers/local_dev.py | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/sentinelops-backend/app/routers/local_dev.py b/sentinelops-backend/app/routers/local_dev.py index fe6adf3..3ef495d 100644 --- a/sentinelops-backend/app/routers/local_dev.py +++ b/sentinelops-backend/app/routers/local_dev.py @@ -41,7 +41,16 @@ async def list_repos(): @router.post("/repos/link") async def link_repo(req: LinkRepoRequest): """Link a GitHub repo to a local folder.""" - success = local_git.link_repo(req.name, req.local_path, req.github_url) + validated_path = local_git._validate_repo_path_for_linking(req.local_path) + if not validated_path: + raise HTTPException( + status_code=400, + detail=( + "Invalid path — no .git directory found. " + "Make sure the folder is a git repo." + ), + ) + success = local_git.link_repo(req.name, validated_path, req.github_url) if not success: raise HTTPException( status_code=400, @@ -50,7 +59,7 @@ async def link_repo(req: LinkRepoRequest): "Make sure the folder is a git repo." ), ) - return {"status": "linked", "name": req.name, "local_path": req.local_path} + return {"status": "linked", "name": req.name, "local_path": validated_path} @router.delete("/repos/unlink")