D->M #207
D->M #207
Conversation
still more to go, as there are some more serious issues like access to private members, and out of date dependencies, but this puts us on a good footing for any future change w/less format spam.
…e Python 3.11.4 [PTV-1887]
…wn a bit too [PTV-1887]
Not perfect. The readme has dozens of issues reported.
just to satisfy remark-lint used by codacy, as it uses rules not supported by PyCharm. So annoying.
There are breaking changes; it should be updated, but probably not in this set of changes.
PTV-1887 - linting, formatting, updating reps, fixing tests
* Adding dependabot and codeql workflows to the repo
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| @@ -476,30 +482,24 @@ | |||
|
|
|||
|
|
|||
| @routes.post("/define-upa/{path:.+}") | |||
| async def define_UPA(request: web.Request): | |||
| async def define_upa(request: web.Request): | |||
Check failure
Code scanning / CodeQL
Uncontrolled data used in path expression High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 27 days ago
To fix the problem, we need to ensure that the path derived from user input is validated and sanitized before it is used in any file operations. This can be achieved by normalizing the path and ensuring it is contained within a safe root directory.
- Normalize the path using
os.path.normpathto remove any ".." segments. - Ensure that the normalized path starts with the intended base directory to prevent access to files outside this directory.
| @@ -416,3 +416,7 @@ | ||
| username = await authorize_request(request) | ||
| path = Path.validate_path(username, request.match_info["path"]) | ||
| user_path = os.path.normpath(request.match_info["path"]) | ||
| full_path = os.path.join(base_path, user_path) | ||
| if not full_path.startswith(base_path): | ||
| raise web.HTTPForbidden(text="Invalid path") | ||
| path = Path.validate_path(username, full_path) | ||
| return web.json_response(await read_metadata_for(path)) | ||
| @@ -494,4 +498,9 @@ | ||
| username = await authorize_request(request) | ||
| path = Path.validate_path(username, request.match_info["path"]) | ||
| if not os.path.exists(path.full_path or not os.path.isfile(path.full_path)): | ||
| base_path = '/safe/root/directory' # Define the base directory | ||
| user_path = os.path.normpath(request.match_info["path"]) | ||
| full_path = os.path.join(base_path, user_path) | ||
| if not full_path.startswith(base_path): | ||
| raise web.HTTPForbidden(text="Invalid path") | ||
| path = Path.validate_path(username, full_path) | ||
| if not os.path.exists(path.full_path) or not os.path.isfile(path.full_path): | ||
| # TODO the security model here is to not care if someone wants to put in a false upa | ||
| @@ -515,3 +524,7 @@ | ||
| username = await authorize_request(request) | ||
| path = Path.validate_path(username, request.match_info["path"]) | ||
| user_path = os.path.normpath(request.match_info["path"]) | ||
| full_path = os.path.join(base_path, user_path) | ||
| if not full_path.startswith(base_path): | ||
| raise web.HTTPForbidden(text="Invalid path") | ||
| path = Path.validate_path(username, full_path) | ||
| # make sure directory isn't home |
| @@ -476,30 +482,24 @@ | |||
|
|
|||
|
|
|||
| @routes.post("/define-upa/{path:.+}") | |||
| async def define_UPA(request: web.Request): | |||
| async def define_upa(request: web.Request): | |||
Check failure
Code scanning / CodeQL
Uncontrolled data used in path expression High
Copilot Autofix AI 22 days ago
Copilot could not generate an autofix suggestion
Copilot could not generate an autofix suggestion for this alert. Try pushing a new commit or if the problem persists contact support.
DTS manifest schema
DTS Manifest parsing
Merge dts-manifest-schema changes into develop
|
Notable Changes from copilot
These changes encompass significant updates and improvements aimed at enhancing functionality and documentation accuracy.