From 7d62e4296bd92db0eb37c6d8b154bc83e5328d8a Mon Sep 17 00:00:00 2001 From: Kris Powers <85710701+KrisPowers@users.noreply.github.com> Date: Sun, 24 May 2026 15:58:15 -0400 Subject: [PATCH 1/3] Potential fix for code scanning alert no. 3: Uncontrolled data used in path expression Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- app/preview_server.go | 28 +++++++++++++++++++++++++++- 1 file changed, 27 insertions(+), 1 deletion(-) diff --git a/app/preview_server.go b/app/preview_server.go index d6aa6cc9..b89ad862 100644 --- a/app/preview_server.go +++ b/app/preview_server.go @@ -4,8 +4,10 @@ import ( "fmt" "net" "net/http" + "os" "path/filepath" goruntime "runtime" + "strings" "sync" ) @@ -62,8 +64,32 @@ func previewFileHandler(w http.ResponseWriter, r *http.Request) { return } + baseDir, err := os.Getwd() + if err != nil { + http.NotFound(w, r) + return + } + + baseDir, err = filepath.Abs(filepath.Clean(baseDir)) + if err != nil { + http.NotFound(w, r) + return + } + + resolvedPath, err := filepath.Abs(filepath.Clean(fsPath)) + if err != nil { + http.NotFound(w, r) + return + } + + basePrefix := baseDir + string(os.PathSeparator) + if resolvedPath != baseDir && !strings.HasPrefix(resolvedPath, basePrefix) { + http.NotFound(w, r) + return + } + // Disable directory listings — serve only files - http.ServeFile(w, r, fsPath) + http.ServeFile(w, r, resolvedPath) } // localFileURL converts an absolute OS path to the URL that the local preview From a5329cc146b7a7bab20497ba1be0f866fb8f18c9 Mon Sep 17 00:00:00 2001 From: Kris Powers <85710701+KrisPowers@users.noreply.github.com> Date: Sun, 24 May 2026 17:07:08 -0400 Subject: [PATCH 2/3] Potential fix for pull request finding 'CodeQL / Uncontrolled data used in path expression' Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- app/preview_server.go | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/app/preview_server.go b/app/preview_server.go index b89ad862..3a76beb1 100644 --- a/app/preview_server.go +++ b/app/preview_server.go @@ -76,20 +76,32 @@ func previewFileHandler(w http.ResponseWriter, r *http.Request) { return } + baseDirCanonical, err := filepath.EvalSymlinks(baseDir) + if err != nil { + http.NotFound(w, r) + return + } + resolvedPath, err := filepath.Abs(filepath.Clean(fsPath)) if err != nil { http.NotFound(w, r) return } - basePrefix := baseDir + string(os.PathSeparator) - if resolvedPath != baseDir && !strings.HasPrefix(resolvedPath, basePrefix) { + resolvedPathCanonical, err := filepath.EvalSymlinks(resolvedPath) + if err != nil { + http.NotFound(w, r) + return + } + + basePrefix := baseDirCanonical + string(os.PathSeparator) + if resolvedPathCanonical != baseDirCanonical && !strings.HasPrefix(resolvedPathCanonical, basePrefix) { http.NotFound(w, r) return } // Disable directory listings — serve only files - http.ServeFile(w, r, resolvedPath) + http.ServeFile(w, r, resolvedPathCanonical) } // localFileURL converts an absolute OS path to the URL that the local preview From 6a34a7f236a1ba30d46daaba4ac485e679a49f29 Mon Sep 17 00:00:00 2001 From: Kris Powers <85710701+KrisPowers@users.noreply.github.com> Date: Sun, 24 May 2026 17:39:40 -0400 Subject: [PATCH 3/3] Potential fix for pull request finding 'CodeQL / Uncontrolled data used in path expression' Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- app/preview_server.go | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/app/preview_server.go b/app/preview_server.go index 3a76beb1..e496b27e 100644 --- a/app/preview_server.go +++ b/app/preview_server.go @@ -94,8 +94,12 @@ func previewFileHandler(w http.ResponseWriter, r *http.Request) { return } - basePrefix := baseDirCanonical + string(os.PathSeparator) - if resolvedPathCanonical != baseDirCanonical && !strings.HasPrefix(resolvedPathCanonical, basePrefix) { + relPath, err := filepath.Rel(baseDirCanonical, resolvedPathCanonical) + if err != nil { + http.NotFound(w, r) + return + } + if relPath == ".." || strings.HasPrefix(relPath, ".."+string(os.PathSeparator)) { http.NotFound(w, r) return }