Skip to content

temp#233

Closed
bartholomew-smith[bot] wants to merge 2 commits intomasterfrom
temp
Closed

temp#233
bartholomew-smith[bot] wants to merge 2 commits intomasterfrom
temp

Conversation

@bartholomew-smith
Copy link
Contributor

@bartholomew-smith bartholomew-smith bot commented Aug 7, 2025

Pull Request automatically created

@heitorpolidoro
Remove the githubapp module and its related classes
fed4c65 
This commit deletes the entire `githubapp` module, including `events`, `test_helper`, and configuration files, as well as classes for handling GitHub events and check runs. This likely indicates the functionality has been deprecated, migrated, or replaced.
@bartholomew-smith bartholomew-smith bot enabled auto-merge (squash) August 7, 2025 13:02
@deepsource-autofix
style: format code with Black, isort and Ruff Formatter
d34f012 
This commit fixes the style issues introduced in fed4c65 according to the output
from Black, isort and Ruff Formatter.

Details: #233
@deepsource-io
Copy link

deepsource-io bot commented Aug 7, 2025
edited
Loading

Here's the code health analysis summary for commits eb92674..d34f012. View details on DeepSource ↗.

Analysis Summary

AnalyzerStatusSummaryLink
DeepSource Test coverage LogoTest coverage⚠️ Artifact not reportedTimed out: Artifact was never reportedView Check ↗
DeepSource Python LogoPython❌ Failure
❗ 8 occurences introduced
🎯 1 occurence resolved
🚨 1 failing metric
View Check ↗
💡 If you’re a repository administrator, you can configure the quality gates from the settings.

github-advanced-security[bot]
github-advanced-security bot found potential problems Aug 7, 2025
View reviewed changes
payload_helper.py
print("Saving in", file_name, end="...", flush=True)
data = clean_data(data)
data["installation"]["id"] = 12345678
with open(file_name, "w") as file:

Check failure

Code scanning / CodeQL

Uncontrolled data used in path expression High

This path depends on a
user-provided value
Loading
.

Copilot Autofix

AI 6 months ago

To fix the problem, we need to ensure that the constructed file path cannot escape the intended payloads directory (PAYLOADS_FOLDER). The best way to do this is to:

  1. Sanitize the event_full_name so that it cannot contain path traversal characters or other problematic input. The most robust way is to use werkzeug.utils.secure_filename, which strips out dangerous characters and ensures the filename is safe.
  2. Alternatively, and in addition, after constructing the full path, normalize it with os.path.normpath and check that it still resides within PAYLOADS_FOLDER (i.e., the normalized path starts with the absolute path of PAYLOADS_FOLDER).

Since we are only allowed to use well-known libraries, and werkzeug.utils.secure_filename is a standard tool for this in Flask apps, we will use it. We will also add an import for secure_filename at the top of the file.

Changes to make:

  • Add from werkzeug.utils import secure_filename to the imports.
  • When constructing file_name, use secure_filename(event_full_name) instead of the raw value.
  • Optionally, for extra defense, after joining and normalizing the path, check that it is still within PAYLOADS_FOLDER.
Suggested changeset 1
payload_helper.py

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/payload_helper.py b/payload_helper.py
--- a/payload_helper.py
+++ b/payload_helper.py
@@ -7,2 +7,3 @@
 from flask import request, Flask
+from werkzeug.utils import secure_filename
 from pcommand import ArgumentParser, command
@@ -122,3 +123,4 @@
         print()
-        file_name = f"{PAYLOADS_FOLDER}/{event_full_name}.json"
+        safe_event_full_name = secure_filename(event_full_name)
+        file_name = f"{PAYLOADS_FOLDER}/{safe_event_full_name}.json"
         print("Saving in", file_name, end="...", flush=True)
EOF
@@ -7,2 +7,3 @@
from flask import request, Flask
from werkzeug.utils import secure_filename
from pcommand import ArgumentParser, command
@@ -122,3 +123,4 @@
print()
file_name = f"{PAYLOADS_FOLDER}/{event_full_name}.json"
safe_event_full_name = secure_filename(event_full_name)
file_name = f"{PAYLOADS_FOLDER}/{safe_event_full_name}.json"
print("Saving in", file_name, end="...", flush=True)
Copilot is powered by AI and may make mistakes. Always verify output.
Copy link

@secure-code-warrior-for-github secure-code-warrior-for-github bot Aug 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Micro-Learning Topic: Uncontrolled data used in path expression (Detected by phrase)

Matched on "Uncontrolled data used in path expression"

What is this? (2min video)

Accessing paths influenced by users can allow an attacker to access unexpected resources.

Try a challenge in Secure Code Warrior

Helpful references
  • OWASP Input Validation Cheat Sheet - This cheatsheet is focused on providing clear, simple, actionable guidance for preventing injection and input validation flaws in your applications, including defence against path traversal.
  • OWASP Path Traversal - OWASP community page with comprehensive information about path traversal, and links to various OWASP resources to help detect or prevent it.

auto-merge was automatically disabled December 11, 2025 15:21

Pull request was closed

@heitorpolidoro heitorpolidoro deleted the temp branch December 11, 2025 15:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@heitorpolidoro heitorpolidoro Awaiting requested review from heitorpolidoro heitorpolidoro is a code owner

1 more reviewer

@secure-code-warrior-for-github secure-code-warrior-for-github[bot] secure-code-warrior-for-github[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@heitorpolidoro