Skip to content

Commit a0b5875

Browse files
committed
Fix Action
1 parent 6c14e3d commit a0b5875

3 files changed

Lines changed: 25 additions & 19 deletions

File tree

.github/workflows/sonarcloud.yml

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -33,7 +33,8 @@ jobs:
3333
with:
3434
args: >
3535
-Dsonar.host.url=https://sonarcloud.io
36-
-Dsonar.organization=${{ secrets.SONAR_ORG }}
36+
-Dsonar.organization=codingworkflow
37+
-Dsonar.projectKey=codingworkflow_claude-code-a-api
3738
3839
- name: SonarCloud quality gate
3940
uses: SonarSource/sonarqube-quality-gate-action@v1.1.0

claude_code_api/core/security.py

Lines changed: 20 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -30,8 +30,8 @@ def _sanitize_leaf_value(path_value: str) -> str:
3030

3131

3232
def _ensure_within_base(path_value: str, base_path: str, resolved_path: str) -> None:
33-
abs_base_path = os.path.abspath(base_path)
34-
abs_resolved_path = os.path.abspath(resolved_path)
33+
abs_base_path = os.path.realpath(base_path)
34+
abs_resolved_path = os.path.realpath(resolved_path)
3535
try:
3636
common_path = os.path.commonpath([abs_base_path, abs_resolved_path])
3737
except ValueError:
@@ -73,33 +73,38 @@ def resolve_path_within_base(path: str, base_path: str) -> str:
7373
detail="Invalid path: Null byte detected",
7474
)
7575

76-
abs_base_path = Path(base_path).resolve()
77-
candidate_path = Path(path)
78-
if not candidate_path.is_absolute():
79-
candidate_path = abs_base_path / candidate_path
80-
81-
resolved_path = candidate_path.resolve(strict=False)
76+
abs_base_path = os.path.realpath(base_path)
77+
path_value = os.fspath(path)
78+
normalized_path = os.path.normpath(path_value)
79+
if not os.path.isabs(normalized_path):
80+
if normalized_path == ".." or normalized_path.startswith(f"..{os.path.sep}"):
81+
raise HTTPException(
82+
status_code=status.HTTP_400_BAD_REQUEST,
83+
detail="Invalid path: Path traversal detected",
84+
)
85+
if os.path.isabs(normalized_path):
86+
resolved_path = os.path.realpath(normalized_path)
87+
else:
88+
resolved_path = os.path.realpath(os.path.join(abs_base_path, normalized_path))
8289

8390
try:
84-
common_path = os.path.commonpath(
85-
[os.fspath(abs_base_path), os.fspath(resolved_path)]
86-
)
91+
common_path = os.path.commonpath([abs_base_path, resolved_path])
8792
except ValueError:
8893
common_path = ""
8994

90-
if common_path != os.fspath(abs_base_path):
95+
if common_path != abs_base_path:
9196
logger.warning(
9297
"Path traversal attempt detected",
9398
path=path,
94-
resolved_path=str(resolved_path),
95-
base_path=str(abs_base_path),
99+
resolved_path=resolved_path,
100+
base_path=abs_base_path,
96101
)
97102
raise HTTPException(
98103
status_code=status.HTTP_400_BAD_REQUEST,
99104
detail="Invalid path: Path traversal detected",
100105
)
101106

102-
return str(resolved_path)
107+
return resolved_path
103108

104109
except HTTPException:
105110
raise

scripts/run-sonar-cloud.sh

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -56,9 +56,9 @@ if [ -z "${SONAR_CLOUD_TOKEN:-}" ]; then
5656
fi
5757

5858
# Set defaults if not provided
59-
SONAR_HOST_URL="${SONAR_CLOUD_URL:-https://sonarcloud.io}"
60-
SONAR_ORG="${SONAR_CLOUD_ORG:-}"
61-
SONAR_PROJECT_KEY="${SONAR_CLOUD_PROJECT:-claude-code-api}"
59+
SONAR_HOST_URL="${SONAR_HOST_URL:-${SONAR_CLOUD_URL:-https://sonarcloud.io}}"
60+
SONAR_ORG="${SONAR_ORG:-${SONAR_CLOUD_ORG:-}}"
61+
SONAR_PROJECT_KEY="${SONAR_PROJECT_KEY:-${SONAR_CLOUD_PROJECT:-claude-code-api}}"
6262

6363
# Generate coverage for SonarCloud
6464
echo "Generating coverage report for SonarCloud..."

0 commit comments

Comments
 (0)