mirror of
https://github.com/github/codeql.git
synced 2026-05-14 19:29:28 +02:00
3a512ae777
- Add test cases in path_injection.py demonstrating that os.path.basename prevents path traversal attacks (false positive scenarios) - Add OsPathBasenameCall sanitizer class in PathInjectionCustomizations.qll that recognizes calls to os.path.basename (and posixpath/ntpath/genericpath variants) as barriers for the path-injection taint flow os.path.basename strips all directory components from a path, returning only the final filename. This makes it impossible for an attacker to inject path traversal sequences like ../etc/passwd - the basename of such input would just be 'passwd'. Agent-Logs-Url: https://github.com/github/codeql/sessions/6603215b-21cd-4e05-8905-550434c7b9ff Co-authored-by: hvitved <3667920+hvitved@users.noreply.github.com>