Skip to content

Fix lab verifier path traversal in lab runtime#21

Open
beyildirim wants to merge 5 commits intomainfrom
fix/verify-path-injection
Open

Fix lab verifier path traversal in lab runtime#21
beyildirim wants to merge 5 commits intomainfrom
fix/verify-path-injection

Conversation

@beyildirim
Copy link
Copy Markdown
Owner

@beyildirim beyildirim commented Apr 14, 2026

This fixes the open CodeQL path-injection finding in weaklink_platform/lab_runtime.py by resolving verifier paths under an allowed root before touching verify.py.

Changes:

  • Added descendant path confinement before resolving the lab verifier path.
  • Fail closed with an invalid lab path error when a lab id escapes the configured labs root.
  • Added a regression test for traversal-style lab ids.

Validation:

  • python3 -m pytest tests/platform/test_lab_runtime.py
  • python3 -m ruff check weaklink_platform/lab_runtime.py tests/platform/test_lab_runtime.py

github-advanced-security[bot]
github-advanced-security AI found potential problems Apr 14, 2026
View reviewed changes
Comment thread weaklink_platform/lab_runtime.py


def _validated_lab_id(lab_id: str) -> str:
if not LAB_ID_PATTERN.fullmatch(lab_id):
Comment thread weaklink_platform/lab_runtime.py Fixed
Comment thread weaklink_platform/lab_runtime.py
safe_lab_id = _validated_lab_id(lab_id)
resolved_lab_dir = (resolved_labs_root / safe_lab_id).resolve(strict=False)
resolved_lab_dir.relative_to(resolved_labs_root)
python_verifier = (resolved_lab_dir / "verify.py").resolve(strict=False)
beyildirim and others added 3 commits April 14, 2026 23:24
@beyildirim @github-advanced-security
Potential fix for pull request finding 'CodeQL / Uncontrolled data us…
9b7eb55 
…ed in path expression'

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@beyildirim
Merge branch 'main' into fix/verify-path-injection
b8b3efd
@beyildirim @github-advanced-security
Potential fix for pull request finding 'CodeQL / Uncontrolled data us…
2da0928 
…ed in path expression'

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
github-advanced-security[bot]
github-advanced-security AI found potential problems Apr 14, 2026
View reviewed changes
Comment thread weaklink_platform/lab_runtime.py
try:
resolved_labs_root = labs_root.resolve(strict=False)
safe_lab_id = _validated_lab_id(lab_id)
expected_lab_dir = (resolved_labs_root / safe_lab_id).resolve(strict=False)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@github-advanced-security github-advanced-security[bot] github-advanced-security[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@beyildirim @github-advanced-security