Fix for Call to 'System.IO.Path.Combine' may silently drop its earlier arguments#25
Merged
guitarrapc merged 2 commits intomainfrom Mar 3, 2026
Merged
Fix for Call to 'System.IO.Path.Combine' may silently drop its earlier arguments#25guitarrapc merged 2 commits intomainfrom
guitarrapc merged 2 commits intomainfrom
Conversation
…r arguments Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
…r arguments Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
In general, to fix this class of problem you should ensure that the argument appended via
Path.Combinecannot be an absolute path. You can either: (1) validate and reject/sanitize absolute paths, or (2) normalize relative paths usingPath.GetFileNameor similar to strip directory and root information, guaranteeing thatPath.Combinealways combines with the intended base directory.The best targeted fix here, without changing functionality, is to ensure that
fileNameis only a file name, not an absolute or directory-containing path. We can do this by wrapping the concatenation inPath.GetFileName, which strips any directory components and any root fromclassName. So we change the assignment to:This keeps the behavior identical for normal
classNamevalues (no directory separators), but prevents a malicious or malformedclassNamefrom turning into an absolute path or including directories. No extra imports are needed becauseSystem.IO.Pathis already used in this file (andSystem.IOis implicitly available).Concretely, in
src/MySQLToCsharp/Generator.cs, update line 26 to computefileNameusingPath.GetFileName(className)before combining it intooutputFile. No other parts of the file need modification.Suggested fixes powered by Copilot Autofix. Review carefully before merging.