H5json #420
H5json #420
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
tests/unit/array_util_test.py
Outdated
There was a problem hiding this comment.
Since we now depend on hdf5-json to do this testing, it might be a good idea to include hdf5-json's tests as a step in the CI
hsds/group_sn.py
Outdated
| created = link_item["created"] | ||
| # allow "pre-dated" attributes if recent enough | ||
| predate_max_time = config.get("predate_max_time", default=10.0) | ||
| if now - created > predate_max_time: |
There was a problem hiding this comment.
This comparison seems backwards. If I understand correctly, the difference between current time and creation time should need to be under the max time, not above it
| dirpath = pp.normpath(dirpath) | ||
| log.debug(f"normpath: {dirpath}") | ||
|
|
||
| if not pp.isdir(dirpath): |
Check failure
Code scanning / CodeQL
Uncontrolled data used in path expression High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 1 month ago
To fix the issue, we need to ensure that the dirpath variable in the _mkdir method is validated to confirm it is within the safe root directory (self._root_dir). This can be achieved by:
- Normalizing the
dirpathusingos.path.normpath. - Verifying that the normalized
dirpathstarts withself._root_dir. If it does not, raise an exception to prevent unsafe directory creation.
The _mkdir method should be updated to include this validation step before proceeding to create the directory.
| @@ -183,2 +183,8 @@ | ||
|
|
||
| # Ensure dirpath is within the root directory | ||
| if not dirpath.startswith(self._root_dir): | ||
| msg = f"Attempt to create directory outside root: {dirpath}" | ||
| log.error(msg) | ||
| raise HTTPBadRequest(reason=msg) | ||
|
|
||
| if not pp.isdir(dirpath): |
|
|
||
| if not pp.isdir(dirpath): | ||
| log.debug(f"mkdir({dirpath})") | ||
| mkdir(dirpath) |
Check failure
Code scanning / CodeQL
Uncontrolled data used in path expression High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 1 month ago
To fix the issue, we need to ensure that the constructed dirpath is validated to confirm it is within the intended root directory (self._root_dir). This can be achieved by:
- Normalizing the path using
os.path.normpath. - Verifying that the normalized path starts with
self._root_dir.
The _getFilePath method should be updated to include this validation. Additionally, the _mkdir method should rely on the validated path returned by _getFilePath.
| @@ -59,4 +59,8 @@ | ||
| def _getFilePath(self, bucket, key=""): | ||
| filepath = pp.join(self._root_dir, bucket, key) | ||
| return pp.normpath(filepath) | ||
| filepath = pp.normpath(pp.join(self._root_dir, bucket, key)) | ||
| if not filepath.startswith(self._root_dir): | ||
| msg = f"Invalid path: {filepath} is outside the root directory" | ||
| log.error(msg) | ||
| raise HTTPBadRequest(reason=msg) | ||
| return filepath | ||
|
|
||
| @@ -180,4 +184,4 @@ | ||
| try: | ||
| dirpath = pp.normpath(dirpath) | ||
| log.debug(f"normpath: {dirpath}") | ||
| log.debug(f"mkdir: validating path {dirpath}") | ||
| dirpath = self._getFilePath(dirpath, key="") # Validate path | ||
|
|
|
@jreadey Linter issues are preventing CI from running on this right now |
Use h5json package for typing and objids