geckon01/local-deep-research
1
0
Fork 0
mirror of https://github.com/LearningCircuit/local-deep-research.git synced 2026-06-15 19:46:56 +03:00
Code Issues Packages Projects Releases Wiki Activity

refactor: use inline suppression for path-injection instead of global exclusion

Browse Source 
- Remove global py/path-injection exclusion from CodeQL config
- Add lgtm[py/path-injection] inline comment to specific line
- Keeps CodeQL active for rest of codebase
This commit is contained in:
LearningCircuit
2025-11-25 01:32:46 +01:00
parent 3cee19103f
commit 290a2835e9
2 changed files with 3 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
.github/codeql/codeql-config.yml vendored
View File

@@ -6,22 +6,3 @@ paths-ignore:
- '**/test_*.py'
- '**/*_test.py'
- 'src/local_deep_research/security/file_write_verifier.py'
# Query filters - exclude specific queries for intentional security-reviewed features
query-filters:
- exclude:
id: py/path-injection
# Justification: This query is excluded because:
# 1. The local file indexing feature (rag_routes.py:100) intentionally accepts
# user-provided paths to enable indexing personal documents
# 2. Security controls are in place:
# - System directory blocking (/etc, /sys, /proc, /dev, /root, /boot, /var/log)
# - Path resolution with .resolve() to prevent traversal
# - PathValidator for relative paths
# 3. This is the ONLY location in the codebase with intentional user-controlled paths
# (verified via codebase audit - see commit history for details)
# 4. This is a core feature requirement for a local research tool, not a vulnerability
# 5. Inline suppressions (lgtm, nosec, codeql) are not supported in CodeQL Python
#
# Alternative considered: File-specific exclusion via paths-ignore, but query-filters
# provides better documentation of WHY this specific security check is excluded.

4
src/local_deep_research/research_library/routes/rag_routes.py
View File

@@ -210,7 +210,9 @@ def validate_local_index_path(user_path: str) -> Path:
# Users are allowed to index their own filesystem. System directories are blocked below.
if Path(user_path).is_absolute():
# codeql[py/path-injection] - Intentional: Local filesystem indexing feature with system directory protection
validated_path = Path(user_path).resolve() # nosec B108
validated_path = Path(
user_path
).resolve() # lgtm[py/path-injection] nosec B108
else:
# Use PathValidator for relative paths
validated_path = PathValidator.validate_safe_path(