fixing a bug spotted in codeql

BDonnot · BDonnot · commit e7c756211999 · 2026-05-21T16:19:50.000+02:00
Signed-off-by: DONNOT Benjamin &lt;benjamin.donnot@rte-france.com&gt;
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -102,6 +102,7 @@ Native multi agents support:
 
 [1.12.5] - 2026-05-xx
 -------------------------
+- [FIXED] some security quality issue spotted by codeQL (I/O function call with non totally checked user input)
 - [ADDED] automatic release on pypi
 - [ADDED] a file 
 - [IMPROVED] clarifying the CONTRIBUTING.md document
diff --git a/grid2op/tests/test_utils.py b/grid2op/tests/test_utils.py
@@ -9,6 +9,7 @@
 import copy
 import json
 import os
+import re
 from hashlib import blake2b
 from unittest.mock import patch
 import numpy as np
@@ -614,6 +615,42 @@ def test_regex_rejects_path_traversal(self):
 
                 scores.clear_all()
 
+    def test_dotdot_passes_regex_but_containment_check_blocks_it(self):
+        """Layer 3 (realpath containment check, fix for S2083).
+
+        A bare '..' has no '/' so it passes REGEX_SPLIT, which only blocks
+        multi-component paths like '../../etc/passwd'.  Before the fix,
+        os.path.join(path_save, '..', META_FILE) would silently read a file
+        one directory above path_save.  The realpath containment check now
+        catches this case.
+        """
+        # First, confirm that '..' passes the regex — documenting WHY the regex
+        # alone is not sufficient.
+        self.assertIsNotNone(
+            re.match(EpisodeStatistics.REGEX_SPLIT_COMPILED, ".."),
+            "'..' contains only dots which are in the allowed charset — "
+            "regex alone cannot block single-component traversal",
+        )
+
+        with warnings.catch_warnings():
+            warnings.filterwarnings("ignore")
+            with grid2op.make(
+                "rte_case5_example", test=True, _add_to_name=type(self).__name__
+            ) as env:
+                scores = ScoreL2RPN2020(env, nb_scenario=2, verbose=0, max_step=10)
+                my_agent = DoNothingAgent(env.action_space)
+
+                malicious_meta = copy.deepcopy(scores.stat_dn.get_metadata())
+                malicious_meta["0"]["scenario_name"] = ".."
+
+                with patch.object(
+                    scores.stat_dn, "get_metadata", return_value=malicious_meta
+                ):
+                    with self.assertRaises(RuntimeError):
+                        scores.get(my_agent)
+
+                scores.clear_all()
+
 
 if __name__ == "__main__":
     unittest.main()
diff --git a/grid2op/utils/l2rpn_2020_scores.py b/grid2op/utils/l2rpn_2020_scores.py
@@ -383,20 +383,35 @@ def get(self, agent, path_save=None, nb_process=1):
         all_scores = []
         ts_survived = []
         total_ts = []
+        path_save_real = os.path.realpath(path_save)
+        # Build a map from name → absolute path using the real filesystem so
+        # that the tainted scenario_name from the metadata JSON is never used
+        # directly as a path component (satisfies CodeQL py/path-injection).
+        available_ep_dirs = {
+            entry: os.path.join(path_save_real, entry)
+            for entry in os.listdir(path_save_real)
+            if os.path.isdir(os.path.join(path_save_real, entry))
+        }
         for ep_id in range(self.nb_scenario):
             this_ep_nm = meta_data_dn[f"{ep_id}"]["scenario_name"]
             if re.match(EpisodeStatistics.REGEX_SPLIT_COMPILED, this_ep_nm) is None:
                 raise RuntimeError(
                     f'The grid2op statistics name should match the regex "{EpisodeStatistics.REGEX_SPLIT}", it is currently {this_ep_nm}.'
                 )
+            if this_ep_nm not in available_ep_dirs:
+                raise RuntimeError(
+                    f"Episode directory for scenario '{this_ep_nm}' was not found under {path_save}."
+                )
+            # ep_dir comes from os.listdir (filesystem), not from the tainted metadata value.
+            ep_dir = available_ep_dirs[this_ep_nm]
             with open(
-                os.path.join(path_save, this_ep_nm, EpisodeData.META_FILE),
+                os.path.join(ep_dir, EpisodeData.META_FILE),
                 "r",
                 encoding="utf-8",
             ) as f:
                 this_epi_meta = json.load(f)
             with open(
-                os.path.join(path_save, this_ep_nm, EpisodeData.OTHER_REWARDS_FILE),
+                os.path.join(ep_dir, EpisodeData.OTHER_REWARDS_FILE),
                 "r",
                 encoding="utf-8",
             ) as f:
