Commit 61affd7
fix: validate reviewAgentLogPath to prevent path injection
Add path validation to invokeDiffReviewLlm to ensure the log path
stays within the expected DATA_CACHE_DIR/review-agent directory.
This addresses CodeQL alert #19 (js/path-injection) by resolving
the path and verifying it does not escape the log directory.
The validation is performed before each fs.appendFileSync call
to prevent path traversal attacks even if the call chain changes
in the future.
Co-authored-by: Michael Sukkarieh <msukkari@users.noreply.github.com>1 parent 2c89825 commit 61affd7
File tree
1 file changed
+12
-0
lines changed- packages/web/src/features/agents/review-agent/nodes
1 file changed
+12
-0
lines changedLines changed: 12 additions & 0 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
2 | 2 | | |
3 | 3 | | |
4 | 4 | | |
| 5 | + | |
5 | 6 | | |
6 | 7 | | |
7 | 8 | | |
8 | 9 | | |
| 10 | + | |
| 11 | + | |
| 12 | + | |
| 13 | + | |
| 14 | + | |
| 15 | + | |
| 16 | + | |
| 17 | + | |
| 18 | + | |
9 | 19 | | |
10 | 20 | | |
11 | 21 | | |
| |||
19 | 29 | | |
20 | 30 | | |
21 | 31 | | |
| 32 | + | |
22 | 33 | | |
23 | 34 | | |
24 | 35 | | |
| |||
32 | 43 | | |
33 | 44 | | |
34 | 45 | | |
| 46 | + | |
35 | 47 | | |
36 | 48 | | |
37 | 49 | | |
| |||
0 commit comments