Skip to content

Potential fix for code scanning alert no. 8: Uncontrolled data used in path expression#3

Closed
VisualBean wants to merge 1 commit into
mainfrom
alert-autofix-8
Closed

Potential fix for code scanning alert no. 8: Uncontrolled data used in path expression#3
VisualBean wants to merge 1 commit into
mainfrom
alert-autofix-8

Conversation

@VisualBean

@VisualBean VisualBean commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

Potential fix for https://github.com/ByteBardOrg/simplecontainerregistry/security/code-scanning/8

General fix: validate untrusted path components with strict allowlisting before using them in filesystem paths, and fail closed when invalid. For tag names used as filenames, accept only safe filename characters and reject separators / traversal-like input.

Best fix here without changing intended behavior: in internal/storage/filesystem.go, harden sanitizeReference so it returns an error and enforces a safe filename policy (non-empty, no / or \, no .., only [A-Za-z0-9._-]). Then update linkManifestTag to use this validator and return the error instead of writing with an unsafe path. This addresses both CodeQL variants because both flows end at the same sink (os.WriteFile(tagPath, ...)).

Changes needed:

  • sanitizeReference signature: func sanitizeReference(reference string) (string, error)
  • Add validation logic using existing strings/fmt imports (no new dependency needed).
  • Update call site in linkManifestTag to handle error and use validated name in safeJoin.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

Summary by CodeRabbit

  • Bug Fixes
    • Improved validation for references and tags.
    • Prevented invalid or unsafe path values from being used when linking manifests.
    • Added clearer handling for empty, malformed, or disallowed references.

…n path expression

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@coderabbitai

coderabbitai Bot commented Jul 15, 2026

Copy link
Copy Markdown

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 39ec3a82-5dc6-4568-8a07-b5ad9bcc0da5

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • ✅ Review completed - (🔄 Check again to review again)
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch alert-autofix-8

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@internal/storage/filesystem.go`:
- Around line 675-692: Update every call to sanitizeReference in ManifestPath,
GetManifest, and DeleteManifest to handle its (string, error) result before
passing the sanitized value to safeJoin, propagating or returning the validation
error appropriately. Remove the redundant slash and backslash checks from
sanitizeReference, leaving the whitelist validation to reject them.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: f0eb2518-572a-45fa-b46d-9984c4199522

📥 Commits

Reviewing files that changed from the base of the PR and between a59eaa5 and d1ece57.

📒 Files selected for processing (1)
  • internal/storage/filesystem.go

Comment on lines +675 to +692
func sanitizeReference(reference string) (string, error) {
reference = strings.TrimSpace(reference)
if reference == "" {
return "", fmt.Errorf("invalid reference")
}
if strings.Contains(reference, "/") || strings.Contains(reference, "\\") || strings.Contains(reference, "..") {
return "", fmt.Errorf("invalid reference")
}
for _, r := range reference {
if (r >= 'a' && r <= 'z') ||
(r >= 'A' && r <= 'Z') ||
(r >= '0' && r <= '9') ||
r == '.' || r == '-' || r == '_' {
continue
}
return "", fmt.Errorf("invalid reference")
}
return reference, nil

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🔴 Critical | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Find all usages of sanitizeReference to ensure all call sites are updated.

rg -n -C 2 'sanitizeReference\(' internal/storage/

Repository: ByteBardOrg/simplecontainerregistry

Length of output: 1852


🏁 Script executed:

#!/bin/bash
set -euo pipefail

sed -n '60,190p' internal/storage/filesystem.go | cat -n

Repository: ByteBardOrg/simplecontainerregistry

Length of output: 4758


Handle sanitizeReference's error at every call site

ManifestPath, GetManifest, and DeleteManifest still pass sanitizeReference(...) straight into safeJoin; each needs to unwrap the (string, error) result first or this file won't compile. The / and \ checks are redundant with the whitelist loop.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@internal/storage/filesystem.go` around lines 675 - 692, Update every call to
sanitizeReference in ManifestPath, GetManifest, and DeleteManifest to handle its
(string, error) result before passing the sanitized value to safeJoin,
propagating or returning the validation error appropriately. Remove the
redundant slash and backslash checks from sanitizeReference, leaving the
whitelist validation to reject them.

@VisualBean VisualBean closed this Jul 15, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant