Skip to content

Potential fix for code scanning alert no. 17: Uncontrolled data used in path expression#84

Draft
maxirmx wants to merge 1 commit into
mainfrom
alert-autofix-17
Draft

Potential fix for code scanning alert no. 17: Uncontrolled data used in path expression#84
maxirmx wants to merge 1 commit into
mainfrom
alert-autofix-17

Conversation

@maxirmx

@maxirmx maxirmx commented Jun 28, 2026

Copy link
Copy Markdown
Member

Potential fix for https://github.com/sw-consulting/media-pi.device/security/code-scanning/17

To fix this safely without changing core functionality (still allowing configurable subdirectories), validate that playlistDestination resolves under a fixed safe base directory before saving it. The best place is in HandleConfigurationUpdate (input validation boundary), and optionally enforce again at use sites for defense-in-depth.
For the shown code, update internal/agent/menu.go where cleanDestination is computed:

  • Define a constant safe base dir (for example /var/media-pi).
  • Resolve both safe base and candidate destination to absolute, cleaned paths.
  • Reject if destination is not equal to base and not under base + path separator.
  • Keep storing the validated absolute path (cleanDestination) in config as before.

This prevents traversal and arbitrary absolute path selection while preserving intended behavior of writing playlists into configurable folders under the application directory.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

…in path expression

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant