Skip to content

Codescanning fix march8 #59

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 8 commits into
base: main
Choose a base branch
from
Open

Codescanning fix march8 #59

wants to merge 8 commits into from

Conversation

arpitjain099
Copy link
Owner

Purpose

  • ...

Does this introduce a breaking change?

[ ] Yes
[ ] No

Pull Request Type

What kind of change does this Pull Request introduce?

[ ] Bugfix
[ ] Feature
[ ] Code style update (formatting, local variables)
[ ] Refactoring (no functional changes, no api changes)
[ ] Documentation content changes
[ ] Other... Please describe:

How to Test

  • Get the code
git clone [repo-address]
cd [repo-name]
git checkout [branch-name]
npm install
  • Test the code

What to Check

Verify that the following are valid

  • ...

Other Information

arpitjain099 and others added 6 commits March 8, 2025 22:53
@arpitjain099 @github-advanced-security
Code scanning fixes
27c8592 
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@arpitjain099 @github-advanced-security
Code scanning fixes
f79838e 
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@arpitjain099 @github-advanced-security
Code scanning fixes
bca746e 
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@arpitjain099 @github-advanced-security
Code scanning fixes
b10d9f7 
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@arpitjain099 @github-advanced-security
Code scanning fixes
1c3f34f 
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@arpitjain099 @github-advanced-security
Code scanning fixes
eb7c852 
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
github-advanced-security[bot]
github-advanced-security bot found potential problems Mar 8, 2025
View reviewed changes
github-advanced-security[bot]
github-advanced-security bot found potential problems Mar 8, 2025
View reviewed changes
Solution_Accelerators/Advanced_RAG/src/evals/rag_eval/__main__.py
os.makedirs(save_path, exist_ok=True)
with open(os.path.join(save_path, "config.json"), "w") as f:
with open(f"{save_path}/config.json", "w") as f:

Check failure

Code scanning / CodeQL

Uncontrolled data used in path expression High

This path depends on a
user-provided value
Loading
.

Copilot Autofix

AI 3 months ago

To fix the problem, we need to validate and sanitize the user-provided aml_dataset before using it to construct the file path. We can use os.path.normpath to normalize the path and ensure it does not contain any malicious segments. Additionally, we can check that the resulting path is within a safe root directory.

  1. Normalize the aml_dataset value using os.path.normpath.
  2. Ensure that the normalized path does not contain any segments that could lead to directory traversal.
  3. Construct the experiment_id and save_path using the sanitized aml_dataset.
Suggested changeset 1
Solution_Accelerators/Advanced_RAG/src/evals/rag_eval/__main__.py

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/Solution_Accelerators/Advanced_RAG/src/evals/rag_eval/__main__.py b/Solution_Accelerators/Advanced_RAG/src/evals/rag_eval/__main__.py
--- a/Solution_Accelerators/Advanced_RAG/src/evals/rag_eval/__main__.py
+++ b/Solution_Accelerators/Advanced_RAG/src/evals/rag_eval/__main__.py
@@ -174,3 +174,5 @@
     current_time = pd.Timestamp.now().strftime("%Y-%m-%d_%H%M%S")
-    aml_dataset = parsed_config.aml_dataset
+    aml_dataset = os.path.normpath(parsed_config.aml_dataset)
+    if os.path.isabs(aml_dataset) or ".." in aml_dataset.split(os.path.sep):
+        raise ValueError("Invalid aml_dataset value.")
     experiment_id = f"RAG-Bot-Eval_Dataset_eq_{aml_dataset}_Start_eq_{current_time}"
EOF
@@ -174,3 +174,5 @@
current_time = pd.Timestamp.now().strftime("%Y-%m-%d_%H%M%S")
aml_dataset = parsed_config.aml_dataset
aml_dataset = os.path.normpath(parsed_config.aml_dataset)
if os.path.isabs(aml_dataset) or ".." in aml_dataset.split(os.path.sep):
raise ValueError("Invalid aml_dataset value.")
experiment_id = f"RAG-Bot-Eval_Dataset_eq_{aml_dataset}_Start_eq_{current_time}"
Copilot is powered by AI and may make mistakes. Always verify output.
Solution_Accelerators/Advanced_RAG/src/evals/rag_eval/__main__.py
@@ -719,14 +713,11 @@

combined_results = {
"config": config.__dict__,
"metrics": json.load(open(os.path.normpath(os.path.join(current_dir, "results", config.experiment_id, "run_metrics.json")))),
"answers": pd.read_csv(os.path.normpath(os.path.join(current_dir, "results", config.experiment_id, "run_details.csv"))).to_dict(),
"metrics": json.load(open(f"{current_dir}/results/{config.experiment_id}/run_metrics.json")),

Check failure

Code scanning / CodeQL

Uncontrolled data used in path expression High

This path depends on a
user-provided value
Loading
.
Solution_Accelerators/Advanced_RAG/src/evals/rag_eval/__main__.py
json.dump(
combined_results, open(metrics_path, "w"), indent=4
combined_results, open(f"{current_dir}/results/{config.experiment_id}/combined_results.json", "w"), indent=4

Check failure

Code scanning / CodeQL

Uncontrolled data used in path expression High

This path depends on a
user-provided value
Loading
.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@arpitjain099