Skip to content

[pull] main from itigges22:main#48

Merged
pull[bot] merged 1 commit into
tqa24:mainfrom
itigges22:main
Jul 15, 2026
Merged

[pull] main from itigges22:main#48
pull[bot] merged 1 commit into
tqa24:mainfrom
itigges22:main

Conversation

@pull

@pull pull Bot commented Jul 15, 2026

Copy link
Copy Markdown

See Commits and Changes for more details.


Created by pull[bot] (v2.0.0-alpha.4)

Can you help keep this open source service alive? 💖 Please sponsor : )

Request-derived file paths (syntax-check filenames, Java class/package
names) were already constrained — _safe_overlay_path rejects absolute
and '..' paths, and the Java identifiers come from restrictive regexes —
but those guards raise instead of transforming the value, which
py/path-injection taint tracking cannot follow. Every language PR that
touched _syntax_check_impl therefore shipped with new high-severity
alerts to dismiss by hand (#140, #141), and alert 510 sat open against
the java branch.

_contained_path() joins under the workspace and applies the
normpath + prefix check CodeQL models as a sanitizer; all ten
filename-derived writes and both Java path builders now go through it.
Doubles as real defense-in-depth for the Java identifiers, which
previously relied on regex shape alone.
@pull pull Bot locked and limited conversation to collaborators Jul 15, 2026
@pull pull Bot added the ⤵️ pull label Jul 15, 2026
@pull pull Bot merged commit 3994d7e into tqa24:main Jul 15, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant