Suppress CodeQL path-injection false positives on os.Stat checks

samuv · samuv · commit 1d96648d45f4 · 2026-04-13T09:34:49.000+02:00
The four os.Stat(dir) pre-checks in applyGitInstallExisting,
applyGitInstallFresh, installExtractionSameDigestNewClients, and
installExtractionFresh are flagged by CodeQL's go/path-injection query
because 'dir' originates (transitively) from user-supplied client names.
The paths are safe: client names are validated against the known
skill-supporting client list, skill names pass validateLocalPath, and
PathResolver.GetSkillPath constructs paths from fixed base directories
which are then confirmed absolute and traversal-free by validateResolvedDir.

Add the same // lgtm[go/path-injection] suppression used in
pkg/skills/gitresolver/writer.go for the identical taint flow.

Signed-off-by: Samuele Verzi &lt;samu@stacklok.com&gt;
Made-with: Cursor
diff --git a/pkg/skills/skillsvc/skillsvc.go b/pkg/skills/skillsvc/skillsvc.go
@@ -806,7 +806,7 @@ func (s *service) applyGitInstallExisting(
 	}
 	for _, ct := range toWrite {
 		dir := filepath.Clean(clientDirs[ct])
-		if _, statErr := os.Stat(dir); statErr == nil && !opts.Force {
+		if _, statErr := os.Stat(dir); statErr == nil && !opts.Force { // lgtm[go/path-injection]
 			return nil, httperr.WithCode(
 				fmt.Errorf("directory %q exists but is not managed by ToolHive; use force to overwrite", dir),
 				http.StatusConflict,
@@ -837,7 +837,7 @@ func (s *service) applyGitInstallFresh(
 ) (*skills.InstallResult, error) {
 	for _, ct := range clientTypes {
 		dir := filepath.Clean(clientDirs[ct])
-		if _, statErr := os.Stat(dir); statErr == nil && !opts.Force {
+		if _, statErr := os.Stat(dir); statErr == nil && !opts.Force { // lgtm[go/path-injection]
 			return nil, httperr.WithCode(
 				fmt.Errorf("directory %q exists but is not managed by ToolHive; use force to overwrite", dir),
 				http.StatusConflict,
@@ -1405,7 +1405,7 @@ func (s *service) installExtractionSameDigestNewClients(
 	var written []string
 	for _, ct := range toWrite {
 		dir := filepath.Clean(clientDirs[ct])
-		if _, statErr := os.Stat(dir); statErr == nil && !opts.Force {
+		if _, statErr := os.Stat(dir); statErr == nil && !opts.Force { // lgtm[go/path-injection]
 			removeSkillDirs(s.installer, clientDirs, written)
 			return nil, httperr.WithCode(
 				fmt.Errorf("directory %q exists but is not managed by ToolHive; use force to overwrite", dir),
@@ -1471,7 +1471,7 @@ func (s *service) installExtractionFresh(
 ) (*skills.InstallResult, error) {
 	for _, ct := range clientTypes {
 		dir := filepath.Clean(clientDirs[ct])
-		if _, statErr := os.Stat(dir); statErr == nil && !opts.Force {
+		if _, statErr := os.Stat(dir); statErr == nil && !opts.Force { // lgtm[go/path-injection]
 			return nil, httperr.WithCode(
 				fmt.Errorf("directory %q exists but is not managed by ToolHive; use force to overwrite", dir),
 				http.StatusConflict,
