Skip to content

Comments

Potential fix for code scanning alert no. 427: Uncontrolled data used in path expression#2362

Merged
ZePan110 merged 1 commit intomainfrom
alert-autofix-427
Dec 16, 2025
Merged

Potential fix for code scanning alert no. 427: Uncontrolled data used in path expression#2362
ZePan110 merged 1 commit intomainfrom
alert-autofix-427

Conversation

@ZePan110
Copy link
Collaborator

@ZePan110 ZePan110 commented Dec 15, 2025
edited
Loading

Potential fix for https://github.com/opea-project/GenAIExamples/security/code-scanning/427
#2352
test pass https://github.com/opea-project/GenAIExamples/actions/runs/20253422487
How to, in general terms, fix the problem:
Paths provided by untrusted users must be checked before use. A common solution is to restrict file access to a known-safe directory. This is typically implemented by joining the user-supplied path to a safe root, normalizing the path, and ensuring the result still points inside the intended directory.

Detailed description of the single best way to fix the problem without changing existing functionality:

  • In get_prompt_template, before using Path(template_path).read_text, validate or restrict template_path.
  • Adopt the pattern used in QnAGenerator.prompt_handler: define a trusted root (e.g., /templates), join and normalize the path, and verify that the resulting path starts with the root.
  • Only after such validation, read the file.
  • This edit should appear in EdgeCraftRAG/edgecraftrag/utils.py in the get_prompt_template method, surrounding or replacing the existing read logic for template_path.

What is needed:

  • Possibly an import of os.path if not present (already present).
  • Insert safe path logic in get_prompt_template.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

@ZePan110 @github-advanced-security
Potential fix for code scanning alert no. 427: Uncontrolled data used…
6c5fd3b 
… in path expression

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@github-actions
Copy link

github-actions bot commented Dec 15, 2025

Dependency Review

✅ No vulnerabilities or license issues found.

Scanned Files

None

@ZePan110 ZePan110 marked this pull request as ready for review December 15, 2025 10:16
Copilot AI review requested due to automatic review settings December 15, 2025 10:16
Copilot AI reviewed Dec 15, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses a path traversal security vulnerability (code scanning alert #427) by implementing input validation for user-supplied template paths in the get_prompt_template function.

Key changes:

  • Adds path validation logic to restrict file access to a safe root directory (/templates)
  • Implements path normalization and bounds checking before reading template files
  • Adds explicit error handling for invalid paths and missing files

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@ZePan110 ZePan110 merged commit a16d61c into main Dec 16, 2025
36 checks passed
@ZePan110 ZePan110 deleted the alert-autofix-427 branch December 16, 2025 03:13
cogniware-devops pushed a commit to Cogniware-Inc/GenAIExamples that referenced this pull request Dec 19, 2025
@ZePan110 @github-advanced-security @cogniware-devops
Potential fix for code scanning alert no. 427: Uncontrolled data used…
029b556 
… in path expression (opea-project#2362)

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: cogniware-devops <ambarish.desai@cogniware.ai>
cogniware-devops pushed a commit to Cogniware-Inc/GenAIExamples that referenced this pull request Dec 19, 2025
@ZePan110 @github-advanced-security @cogniware-devops
Potential fix for code scanning alert no. 427: Uncontrolled data used…
f5038d5 
… in path expression (opea-project#2362)

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: cogniware-devops <ambarish.desai@cogniware.ai>
cogniware-devops pushed a commit to Cogniware-Inc/GenAIExamples that referenced this pull request Dec 19, 2025
@ZePan110 @github-advanced-security @cogniware-devops
Potential fix for code scanning alert no. 427: Uncontrolled data used…
7eec2ee 
… in path expression (opea-project#2362)

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: cogniware-devops <ambarish.desai@cogniware.ai>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@chensuyue chensuyue chensuyue approved these changes

@lvliang-intel lvliang-intel lvliang-intel approved these changes

@Yongbozzz Yongbozzz Awaiting requested review from Yongbozzz Yongbozzz is a code owner

@myqi myqi Awaiting requested review from myqi myqi is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ZePan110 @chensuyue @lvliang-intel