From 960c7980a38268b1f3549fa9c741d23cf1bb3c71 Mon Sep 17 00:00:00 2001 From: Zamil Majdy Date: Wed, 11 Feb 2026 06:32:16 +0400 Subject: [PATCH] fix(backend/chat): Use named helper for session_id sanitization to satisfy CodeQL Replace inline comprehension with _sanitize_session_id() using re.sub so CodeQL recognizes the path-traversal sanitization barrier. --- .../backend/backend/api/features/chat/sdk/service.py | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/autogpt_platform/backend/backend/api/features/chat/sdk/service.py b/autogpt_platform/backend/backend/api/features/chat/sdk/service.py index 9681c86065..7e368915c7 100644 --- a/autogpt_platform/backend/backend/api/features/chat/sdk/service.py +++ b/autogpt_platform/backend/backend/api/features/chat/sdk/service.py @@ -4,6 +4,7 @@ import asyncio import json import logging import os +import re import uuid from collections.abc import AsyncGenerator from typing import Any @@ -45,6 +46,14 @@ config = ChatConfig() _background_tasks: set[asyncio.Task[Any]] = set() +def _sanitize_session_id(session_id: str) -> str: + """Sanitize session_id to prevent path traversal and injection. + + Only allows alphanumeric characters and hyphens, stripping everything else. + """ + return re.sub(r"[^A-Za-z0-9-]", "", session_id) + + def _cleanup_sdk_tool_results(cwd: str) -> None: """Remove SDK tool-result files for a specific session working directory. @@ -239,7 +248,7 @@ async def stream_chat_completion_sdk( stream_completed = False # Use a session-specific temp dir to avoid cleanup race conditions # between concurrent sessions. Sanitize session_id to prevent path traversal. - safe_session_id = "".join(c for c in session_id if c.isalnum() or c == "-") + safe_session_id = _sanitize_session_id(session_id) sdk_cwd = f"/tmp/copilot-{safe_session_id}" os.makedirs(sdk_cwd, exist_ok=True)