Potential fix for pull request finding 'CodeQL / Uncontrolled data used in path expression'

Zalfsten · github-advanced-security[bot] · web-flow · commit a3222d1bbdcf · 2026-04-08T15:15:06.000+02:00
Co-authored-by: Copilot Autofix powered by AI &lt;62310815+github-advanced-security[bot]@users.noreply.github.com&gt;
diff --git a/dev_environment/demo_api_main.py b/dev_environment/demo_api_main.py
@@ -70,55 +70,22 @@ def _handle_error(arc_dir: Path, rdi: str, arc_id: str, exc: Exception) -> None:
     tb = traceback.format_exc()
     print(f"Error writing ARC for {rdi}/{arc_id}: {exc}")
 
-    # Ensure that error logging always happens under the configured OUTPUT_ROOT,
-    # regardless of how arc_dir was derived. This avoids using any potentially
-    # untrusted path prefixes.
-    base_root = OUTPUT_ROOT.resolve()
-
-    # Derive a simple, safe subdirectory name from the provided arc_dir/arc_id.
-    # Prefer the final path component of arc_dir; fall back to arc_id; and
-    # finally to a generic name if necessary.
-    candidate_name = arc_dir.name if arc_dir.name not in {"", ".", ".."} else arc_id
-    if not isinstance(candidate_name, str) or not candidate_name:
-        candidate_name = "unknown"
-
-    # Reuse the same safe-name pattern as in upload_arc.
-    safe_name_pattern = re.compile(r"^[A-Za-z0-9_.-]{1,64}$")
-    candidate_name = candidate_name.strip()
-    if (
-        not candidate_name
-        or candidate_name in {".", ".."}
-        or "/" in candidate_name
-        or "\\" in candidate_name
-        or not safe_name_pattern.match(candidate_name)
-    ):
-        safe_name = "unknown"
-    else:
-        safe_name = candidate_name
-
-    # Build the final directory for error logging under the safe root.
-    safe_arc_dir = (base_root / safe_name).resolve()
-    try:
-        common_root = os.path.commonpath([str(base_root), str(safe_arc_dir)])
-    except ValueError:
-        # Fall back to logging under a generic error directory if something goes wrong.
-        safe_arc_dir = (base_root / "errors").resolve()
-        common_root = os.path.commonpath([str(base_root), str(safe_arc_dir)])
-
-    if common_root != str(base_root):
-        # As an additional safeguard, if the computed directory is not under
-        # OUTPUT_ROOT, force it into a fixed "errors" directory and re-validate.
-        safe_arc_dir = (base_root / "errors").resolve()
-        try:
-            common_root = os.path.commonpath([str(base_root), str(safe_arc_dir)])
-        except ValueError:
+    # Always log errors under a fixed subdirectory of OUTPUT_ROOT to avoid
+    # any dependence on user-controlled identifiers when constructing paths.
+    errors_root = (OUTPUT_ROOT / "errors").resolve()
+    errors_root.mkdir(parents=True, exist_ok=True)
+
+    error_path = errors_root / "error.txt"
             # In the unlikely event that commonpath still fails, log directly under
-            # the resolved OUTPUT_ROOT itself.
-            safe_arc_dir = base_root
+        handle.write(f"RDI: {rdi}\n")
+        handle.write(f"ARC ID: {arc_id}\n")
+        handle.write(f"ARC directory: {arc_dir}\n")
+        handle.write(f"Exception: {exc}\n\n")
         else:
-            if common_root != str(base_root):
                 # If the resolved "errors" directory is still not under OUTPUT_ROOT,
+    _chown_tree(errors_root)
                 # fall back to using the OUTPUT_ROOT directory itself.
+
                 safe_arc_dir = base_root
 
     safe_arc_dir.mkdir(parents=True, exist_ok=True)
