Skip to content

Potential fix for code scanning alert no. 2: Uncontrolled data used in path expression #10

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
ohgodwhy2k merged 3 commits into from
Nov 21, 2025
Merged

Potential fix for code scanning alert no. 2: Uncontrolled data used in path expression #10

ohgodwhy2k merged 3 commits into from
Nov 21, 2025

Conversation

@ohgodwhy2k
Copy link
Owner

@ohgodwhy2k ohgodwhy2k commented Nov 21, 2025

Potential fix for https://github.com/ohgodwhy2k/quicksite/security/code-scanning/2

To fix the issue, we should prevent path traversal by making sure all file access is constrained to the DIST_ROOT directory. The steps are:

  1. Normalize the requested path so that directory traversal like .. is resolved.
  2. Use an absolute root (DIST_ROOT) and ensure the resolved path is always within it, by checking that the final, normalized resolved path starts with (or equals) the absolute root.
  3. Only after passing this check, read and serve the file.

Implement these changes in scripts/serve.js, by:

  • Importing resolve from node:path.
  • Resolving both DIST_ROOT and the requested user path to their absolute versions using path.resolve().
  • After resolution, check that the requested file's path starts with the root directory. If not, return a 403 Forbidden error.

No other functionality should change; file serving and MIME type detection remain as in the original.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

ohgodwhy2k and others added 3 commits November 21, 2025 16:57
@ohgodwhy2k @github-advanced-security
Potential fix for code scanning alert no. 2: Uncontrolled data used i…
41bcfe5 
…n path expression

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@ohgodwhy2k
fix: Prettify serve.js
fd64f1e
@ohgodwhy2k
Merge branch 'main' into alert-autofix-2
98c1dd5
@ohgodwhy2k ohgodwhy2k marked this pull request as ready for review November 21, 2025 23:04
@ohgodwhy2k ohgodwhy2k merged commit 13c80c8 into main Nov 21, 2025
8 checks passed
@ohgodwhy2k ohgodwhy2k deleted the alert-autofix-2 branch November 21, 2025 23:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ohgodwhy2k