rick/LEDMatrix
1
0
Fork 0
mirror of https://github.com/ChuckBuilds/LEDMatrix.git synced 2026-05-26 22:13:32 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix 15 remaining CodeQL path-injection and stack-trace-exposure alerts

Browse Source 
Switch from resolve()+relative_to() to os.path.basename() reassignment,
which CodeQL recognizes as a path sanitizer that breaks the taint chain.
Also remove exception objects from backup_manager validate_backup return
strings to eliminate the stack-trace-exposure taint source.

Fixes alerts #227, #233, #234, #235, #237, #238, #239, #240, #241,
#242, #243, #244, #245, #246, #247.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Chuck
2026-05-24 08:59:57 -04:00
parent d96db23992
commit 13eaabfcd5
4 changed files with 26 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
src/plugin_system/plugin_loader.py
View File

@@ -8,6 +8,7 @@ Extracted from PluginManager to improve separation of concerns.
import json
import importlib
import importlib.util
import os
import sys
import subprocess
import threading
@@ -68,6 +69,11 @@ class PluginLoader:
Returns:
Path to plugin directory or None if not found
"""
# Sanitize plugin_id — os.path.basename is a CodeQL-recognized path sanitizer
plugin_id = os.path.basename(plugin_id or '')
if not plugin_id:
return None
# Strategy 1: Use mapping from discovery
if plugin_directories and plugin_id in plugin_directories:
plugin_dir = plugin_directories[plugin_id]
@@ -145,6 +151,9 @@ class PluginLoader:
Returns:
True if dependencies installed or not needed, False on error
"""
plugin_id = os.path.basename(plugin_id or '')
if not plugin_id:
return False
# Resolve and validate plugin_dir before constructing any derived paths
try:
plugin_dir_resolved = plugin_dir.resolve(strict=True)
@@ -371,6 +380,9 @@ class PluginLoader:
Returns:
Loaded module or None on error
"""
plugin_id = os.path.basename(plugin_id or '')
if not plugin_id:
raise PluginError("Invalid plugin ID")
try:
plugin_dir_resolved = plugin_dir.resolve(strict=True)
except OSError: