Skip to content

security-fix: uncontrolled data paths#19

Open
Calvinjmin wants to merge 1 commit intomainfrom
security-fix/uncontrolled-data-paths
Open

security-fix: uncontrolled data paths#19
Calvinjmin wants to merge 1 commit intomainfrom
security-fix/uncontrolled-data-paths

Conversation

@Calvinjmin
Copy link
Owner

@Calvinjmin Calvinjmin commented Jan 14, 2026
edited
Loading

Description

In config.cpp and client.cpp, there are path manipulation variables that allow users to maliciously inject strings that point to local env files. Through this PR, the SDK now sanitizes the variables prior to their usage.

Closes #

Type of Change

  • Bug fix
  • New feature
  • Breaking change
  • Documentation
  • Other:

Changes

  • config.cpp and client.cpp now utilize path.utils.h
  • Removal of using the raw variable for path manipulation on files within a local system.

Testing

  • Added/updated tests
  • All tests pass (make test)
  • Tested manually
  • Build and test workflow is successful

Checklist

  • Code follows style guidelines (make format)
  • Self-reviewed my code
  • Commented complex code
  • Updated documentation/Doxygen comments
  • No new warnings or errors
  • Backward compatible (or documented breaking changes)

Breaking Changes

Screenshots

By submitting this PR, I confirm my contribution is made under the MIT License.

github-advanced-security[bot]
github-advanced-security bot found potential problems Jan 14, 2026
View reviewed changes
src/core/client.cpp

std::ifstream file;
if (!config_path.empty()) {
file.open(config_path);

Check failure

Code scanning / CodeQL

Uncontrolled data used in path expression High

This argument to a file access function is derived from
user input (an environment variable)
Loading
and then passed to std::basic_ifstream<char, char_traits>::open(__s), which calls std::basic_filebuf<char, char_traits>::open(__s).
This argument to a file access function is derived from
user input (an environment variable)
Loading
and then passed to std::basic_ifstream<char, char_traits>::open(__s).

Copilot Autofix

AI 23 days ago

Copilot could not generate an autofix suggestion

Copilot could not generate an autofix suggestion for this alert. Try pushing a new commit or if the problem persists contact support.

src/core/config.cpp
throw std::runtime_error("Invalid HOME environment variable: " + std::string(e.what()));
}

std::ifstream file(config_path);

Check failure

Code scanning / CodeQL

Uncontrolled data used in path expression High

This argument to a file access function is derived from
user input (an environment variable)
Loading
and then passed to std::basic_ifstream<char, char_traits>::basic_ifstream(__s).
This argument to a file access function is derived from
user input (an environment variable)
Loading
and then passed to std::basic_ifstream<char, char_traits>::basic_ifstream(__s), which calls std::basic_ifstream<char, char_traits>::open(__s).
This argument to a file access function is derived from
user input (an environment variable)
Loading
and then passed to std::basic_ifstream<char, char_traits>::basic_ifstream(__s), which calls std::basic_ifstream<char, char_traits>::open(__s), which calls std::basic_filebuf<char, char_traits>::open(__s).

Copilot Autofix

AI 23 days ago

Copilot could not generate an autofix suggestion

Copilot could not generate an autofix suggestion for this alert. Try pushing a new commit or if the problem persists contact support.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Calvinjmin