Skip to content

fix: harden media path validation against path injection#86

Merged
GeiserX merged 1 commit intomasterfrom
fix/path-injection
Mar 5, 2026
Merged

fix: harden media path validation against path injection#86
GeiserX merged 1 commit intomasterfrom
fix/path-injection

Conversation

@GeiserX
Copy link
Copy Markdown
Owner

@GeiserX GeiserX commented Mar 5, 2026

Summary

Test plan

  • Existing test_path_traversal_blocked passes
  • Existing test_media_requires_auth passes
  • Syntax check passes

🤖 Generated with Claude Code

@GeiserX @claude
fix: harden media path validation against path injection (CodeQL)
7a48a76 
Add early rejection of path traversal (`..`) and absolute paths before
filesystem operations. Use `resolve(strict=True)` to prevent TOCTOU
race conditions with symlinks. Resolves CodeQL alerts #12, #13, #14.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@GeiserX GeiserX merged commit 78bf2da into master Mar 5, 2026
5 of 6 checks passed
github-advanced-security[bot]
github-advanced-security bot found potential problems Mar 5, 2026
View reviewed changes
src/web/main.py
# Construct and resolve path, then verify it stays within media root
candidate = _media_root / path
try:
resolved = candidate.resolve(strict=True)

Check failure

Code scanning / CodeQL

Uncontrolled data used in path expression High

This path depends on a
user-provided value
Loading
.

Copilot Autofix

AI about 1 month ago

Copilot could not generate an autofix suggestion

Copilot could not generate an autofix suggestion for this alert. Try pushing a new commit or if the problem persists contact support.

@github-actions
Copy link
Copy Markdown

github-actions bot commented Mar 5, 2026

🐳 Dev images published!

  • drumsergio/telegram-archive:dev
  • drumsergio/telegram-archive-viewer:dev

The dev/test instance will pick up these changes automatically (Portainer GitOps).

To test locally:

docker pull drumsergio/telegram-archive:dev
docker pull drumsergio/telegram-archive-viewer:dev

GeiserX added a commit that referenced this pull request Mar 10, 2026
@GeiserX @claude
fix: harden media path validation against path injection (CodeQL) (#86)
246006e 
Add early rejection of path traversal (`..`) and absolute paths before
filesystem operations. Use `resolve(strict=True)` to prevent TOCTOU
race conditions with symlinks. Resolves CodeQL alerts #12, #13, #14.

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
GeiserX added a commit that referenced this pull request Mar 10, 2026
@GeiserX
fix: harden media path validation against path injection (CodeQL) (#86)
a7e86e7 
Add early rejection of path traversal (`..`) and absolute paths before
filesystem operations. Use `resolve(strict=True)` to prevent TOCTOU
race conditions with symlinks. Resolves CodeQL alerts #12, #13, #14.
GeiserX added a commit that referenced this pull request Mar 10, 2026
@GeiserX
fix: harden media path validation against path injection (CodeQL) (#86)
71cf736 
Add early rejection of path traversal (`..`) and absolute paths before
filesystem operations. Use `resolve(strict=True)` to prevent TOCTOU
race conditions with symlinks. Resolves CodeQL alerts #12, #13, #14.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@GeiserX @github-advanced-security