Skip to content

Commit c580bc2

Browse files
Potential fix for code scanning alert no. 29: Uncontrolled data used in path expression
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
1 parent e6939da commit c580bc2

1 file changed

Lines changed: 6 additions & 1 deletion

File tree

CodeGen/ui/gradio/codegen_ui_gradio.py

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -164,7 +164,12 @@ def generate_code(query, index=None, use_agent=False):
164164

165165
def ingest_file(file, index=None, chunk_size=100, chunk_overlap=150):
166166
headers = {}
167-
file_input = {"files": open(file, "rb")}
167+
# Restrict file access to UPLOAD_ROOT directory
168+
normalized_path = os.path.normpath(os.path.join(UPLOAD_ROOT, file))
169+
# Ensure the constructed path is still within the upload root
170+
if not normalized_path.startswith(UPLOAD_ROOT):
171+
raise Exception("Access to the specified file is not allowed.")
172+
file_input = {"files": open(normalized_path, "rb")}
168173

169174
if index:
170175
data = {"index_name": index, "chunk_size": chunk_size, "chunk_overlap": chunk_overlap}

0 commit comments

Comments
 (0)