Potential fix for code scanning alert no. 2: Uncontrolled command line #16
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Potential fix for https://github.com/IntelLabs/Video-Curation-Sample/security/code-scanning/2
General approach: keep using
shell=Falseand a fixed executable path, but further reduce the attack surface by (a) enforcing a strict allowlist of characters/format forvideonames, and (b) ensuring we don’t accidentally proceed whenffprobefails. This aligns with the recommendation to choose among hard-coded command structures and strictly validate any user-controlled arguments.Concretely, the best targeted fix with minimal functional change is:
validate_video_nameinvideo/utils.pyto only accept benign file-name patterns (e.g., letters, digits, underscore, dash, dot), while still rejecting path separators. This makes it explicit thatvideois not an arbitrary string but a constrained identifier/filename, which addresses CodeQL’s concern about uncontrolled values in a command line._get_infoinvideo/info.pyto:ffprobeand raise an exception if it fails, instead of silently returning zeros. That way, invalid or malicious inputs don’t just flow through.p.stdout.close()/p.wait()by usingcommunicate()or, minimally, by checkingp.returncodeafterwait().We do not need to change imports beyond adding
reinvideo/utils.pyfor pattern-based validation. No changes to existing behavior for valid names are intended; valid names that match the new pattern should behave the same.Specific changes:
video/utils.py, addimport reand updatevalidate_video_nameto use a compiled regex like^[A-Za-z0-9._-]+$and to disallow names starting with a dot (to avoid hidden files like.htaccessif that matters).video/info.py, inside_get_info, assigninput_path = safely_join_path(self._mp4path, video)and use that incmd. After thewith Popen(...)block completes, checkp.returncodeand, if non-zero, raise aRuntimeErrorso the caller can fail cleanly. This makes error handling explicit and ensures we don’t treat a failed subprocess as a successful info query.Suggested fixes powered by Copilot Autofix. Review carefully before merging.