semgrep updates

GarrettBeatty · GarrettBeatty · commit e0b6aaa6971e · 2025-05-06T11:18:32.000-04:00
diff --git a/.semgrepignore b/.semgrepignore
@@ -1,4 +1,5 @@
 # Ignore test and example files containing dummy credentials
+
 **/test/**/*.json
 **/tests/**/*.json
 **/SampleRequests/**/*.json
@@ -7,6 +8,12 @@
 **/*.min.js
 **/env.configs.yml
 
+# ignore template files
+Blueprints/BlueprintDefinitions/vs2017/*/template/**
+Blueprints/BlueprintDefinitions/vs2019/*/template/**
+Blueprints/BlueprintDefinitions/vs2022/*/template/**
+Libraries/test/*/**
+
 # Ignore third-party libraries
 **/node_modules/**
 **/vendor/**
diff --git a/Tools/LambdaTestTool-v2/src/Amazon.Lambda.TestTool/SampleRequests/SampleRequestManager.cs b/Tools/LambdaTestTool-v2/src/Amazon.Lambda.TestTool/SampleRequests/SampleRequestManager.cs
@@ -96,7 +96,8 @@ public string GetRequest(string name)
         {
             name = name.Substring(name.IndexOf("@") + 1);
             var savedRequestDirectory = GetSavedRequestDirectory();
-            var path = Path.Combine(savedRequestDirectory, name);
+            var sanitizedName = Path.GetFileName(name);
+            var path = Path.Combine(savedRequestDirectory, sanitizedName);
             return File.ReadAllText(path);
         }
         return GetEmbeddedResource(name);
@@ -110,7 +111,8 @@ public string SaveRequest(string name, string content)
         if (!Directory.Exists(savedRequestDirectory))
             Directory.CreateDirectory(savedRequestDirectory);
 
-        File.WriteAllText(Path.Combine(savedRequestDirectory, filename), content);
+        var sanitizedFilename = Path.GetFileName(filename);
+        File.WriteAllText(Path.Combine(savedRequestDirectory, sanitizedFilename), content);
         return $"{SavedRequestDirectory}@{filename}";
     }
 
diff --git a/Tools/LambdaTestTool/src/Amazon.Lambda.TestTool.BlazorTester/Startup.cs b/Tools/LambdaTestTool/src/Amazon.Lambda.TestTool.BlazorTester/Startup.cs
@@ -109,7 +109,15 @@ public void ConfigureServices(IServiceCollection services)
         // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
         public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
         {
-            app.UseDeveloperExceptionPage();
+            if (env.IsDevelopment())
+            {
+                app.UseDeveloperExceptionPage();
+            }
+            else
+            {
+                app.UseExceptionHandler("/Error");
+                app.UseHsts();
+            }
 
             app.UseStaticFiles();
 
diff --git a/Tools/LambdaTestTool/src/Amazon.Lambda.TestTool/SampleRequests/SampleRequestManager.cs b/Tools/LambdaTestTool/src/Amazon.Lambda.TestTool/SampleRequests/SampleRequestManager.cs
@@ -102,7 +102,8 @@ public string GetRequest(string name)
             if(name.StartsWith(SAVED_REQUEST_DIRECTORY + "@"))
             {
                 name = name.Substring(name.IndexOf("@") + 1);
-                var path = Path.Combine(this.GetSavedRequestDirectory(), name);
+                var sanitizedName = Path.GetFileName(name); // Sanitize the filename to prevent path traversal
+                var path = Path.Combine(this.GetSavedRequestDirectory(), sanitizedName);
                 return File.ReadAllText(path);
             }
             return GetEmbeddedResource(name);
@@ -146,4 +147,4 @@ public string GetSavedRequestDirectory()
             return path;
         }
     }
-}
+}

Original file line number	Diff line number	Diff line change
`@@ -96,7 +96,8 @@ public string GetRequest(string name)`
`96`	`96`	`{`
`97`	`97`	`name = name.Substring(name.IndexOf("@") + 1);`
`98`	`98`	`var savedRequestDirectory = GetSavedRequestDirectory();`
`99`		`- var path = Path.Combine(savedRequestDirectory, name);`
	`99`	`+ var sanitizedName = Path.GetFileName(name);`
	`100`	`+ var path = Path.Combine(savedRequestDirectory, sanitizedName);`
`100`	`101`	`return File.ReadAllText(path);`
`101`	`102`	`}`
`102`	`103`	`return GetEmbeddedResource(name);`
`@@ -110,7 +111,8 @@ public string SaveRequest(string name, string content)`
`110`	`111`	`if (!Directory.Exists(savedRequestDirectory))`
`111`	`112`	`Directory.CreateDirectory(savedRequestDirectory);`
`112`	`113`
`113`		`- File.WriteAllText(Path.Combine(savedRequestDirectory, filename), content);`
	`114`	`+ var sanitizedFilename = Path.GetFileName(filename);`
	`115`	`+ File.WriteAllText(Path.Combine(savedRequestDirectory, sanitizedFilename), content);`
`114`	`116`	`return $"{SavedRequestDirectory}@{filename}";`
`115`	`117`	`}`
`116`	`118`
Original file line number	Diff line number	Diff line change
`@@ -102,7 +102,8 @@ public string GetRequest(string name)`
`102`	`102`	`if(name.StartsWith(SAVED_REQUEST_DIRECTORY + "@"))`
`103`	`103`	`{`
`104`	`104`	`name = name.Substring(name.IndexOf("@") + 1);`
`105`		`- var path = Path.Combine(this.GetSavedRequestDirectory(), name);`
	`105`	`+ var sanitizedName = Path.GetFileName(name); // Sanitize the filename to prevent path traversal`
	`106`	`+ var path = Path.Combine(this.GetSavedRequestDirectory(), sanitizedName);`
`106`	`107`	`return File.ReadAllText(path);`
`107`	`108`	`}`
`108`	`109`	`return GetEmbeddedResource(name);`
`@@ -146,4 +147,4 @@ public string GetSavedRequestDirectory()`
`146`	`147`	`return path;`
`147`	`148`	`}`
`148`	`149`	`}`
`149`		`-}`
	`150`	`+}`