fix(security): validate sidecar paths to prevent path injection attacks#12
Merged
jkyberneees merged 3 commits intomainfrom Mar 28, 2026
Merged
fix(security): validate sidecar paths to prevent path injection attacks#12jkyberneees merged 3 commits intomainfrom
jkyberneees merged 3 commits intomainfrom
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
jkyberneees
force-pushed
the
fix/path-injection-sidecar-loading
branch
from
842f0e1 to
d63c759
Compare
Fixes CodeQL path-injection warning in loadSidecar function. The sidecar file paths (.gz, .br, .zst extensions) are now validated to ensure they remain within the root directory, preventing symlink escape attacks. - Convert loadSidecar to a method on FileHandler for access to absRoot - Resolve symlinks in both the sidecar path and root directory - Validate sidecar path is within root before reading - Log rejected paths for security auditing
jkyberneees
force-pushed
the
fix/path-injection-sidecar-loading
branch
from
d63c759 to
8c50603
Compare
…alert Extract the sidecar path validation logic into a dedicated validateSidecarPath() helper function. This improves code clarity and allows static analyzers like CodeQL to recognize the validation as a proper path sanitizer. The validation logic itself is unchanged and remains secure against: - Symlink escape attacks (via filepath.EvalSymlinks) - Prefix collisions (via trailing separator guard) - macOS symlink handling (/tmp → /private/tmp) This change resolves the CodeQL alert while maintaining the same security guarantees and improving code maintainability. Fixes: CodeQL alert on line 542 (Uncontrolled data used in path expression)
…injection alert Replace filepath.EvalSymlinks() as the primary sanitizer with filepath.Clean() and filepath.Join(), which are explicitly recognized by CodeQL as path sanitizers. The validation now follows a 5-step defense-in-depth approach: 1. filepath.Clean() - removes '..' and '.' components (CodeQL-recognized) 2. filepath.Join() - constructs absolute path safely (CodeQL-recognized) 3. filepath.EvalSymlinks() - resolves symlinks to canonical path 4. Root directory resolution - handles macOS /tmp → /private/tmp 5. Prefix validation - ensures path remains within root This approach: - ✅ Resolves CodeQL alert (uses recognized sanitizers) - ✅ Maintains security (defense-in-depth) - ✅ Improves code clarity (5 explicit steps) - ✅ Enables testing (exported methods) Also exported ValidateSidecarPath() and LoadSidecar() methods for better testability and added comprehensive security tests covering: - Valid absolute/relative paths - Path traversal with .. components - Absolute paths outside root - Nonexistent files - Symlink escape attempts Fixes: CodeQL alert on line 553 (Uncontrolled data used in path expression)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes CodeQL path-injection warning in loadSidecar function. The sidecar file paths (.gz, .br, .zst extensions) are now validated to ensure they remain within the root directory, preventing symlink escape attacks.