Skip to content

refactor: improve path handling in config, node steps, and build #2015

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
niStee wants to merge 24 commits into
base: main
Choose a base branch
from
+18 −19
Open

refactor: improve path handling in config, node steps, and build #2015

Show file tree
Hide file tree
Changes from 22 commits
Commits
Show all changes
24 commits
Select commit Hold shift + click to select a range
ad0a73a
Potential fix for code scanning alert no. 271: Uncontrolled data used…
niStee May 11, 2026
d7732dd
Potential fix for code scanning alert no. 270: Uncontrolled data used…
niStee May 11, 2026
a586e47
Potential fix for code scanning alert no. 269: Uncontrolled data used…
niStee May 11, 2026
43ee0ac
Potential fix for code scanning alert no. 268: Uncontrolled data used…
niStee May 11, 2026
df1f769
Potential fix for code scanning alert no. 266: Uncontrolled data used…
niStee May 11, 2026
49652c1
Merge remote-tracking branch 'origin/alert-autofix-268' into security…
May 11, 2026
4bd477d
Merge remote-tracking branch 'origin/alert-autofix-269' into security…
May 11, 2026
4eb6883
Merge remote-tracking branch 'origin/alert-autofix-270' into security…
May 11, 2026
136f504
Merge remote-tracking branch 'origin/alert-autofix-271' into security…
May 11, 2026
867caef
chore(node): fix unused import Component warning on Windows
May 11, 2026
6c36257
feat: add node.rs module to handle npm, yarn, deno, and viteplus pack…
May 11, 2026
fc95545
Merge branch 'topgrade-rs:main' into security/consolidated-codeql-fixes
niStee May 13, 2026
f25418a
refactor: improve readability of path handling in build.rs and config.rs
May 13, 2026
1b556ed
feat: add configuration module and self-renamer utility for automated…
May 15, 2026
63a4e89
feat: implement SelfRenamer to safely move executable during upgrades
May 15, 2026
4d3c7f5
test(security): add unit tests for path safety validation
May 15, 2026
b913c63
refactor: remove redundant path validation checks in build.rs, config…
May 15, 2026
a0adcf1
refactor: remove redundant canonicalization of paths in build.rs and …
May 15, 2026
90ce1a0
refactor: remove redundant path checks and comments in config and nod…
May 15, 2026
9226677
refactor: remove unused Component import from std::path in config.rs
May 15, 2026
ee4ff39
refactor: remove trailing newline in config.rs
May 15, 2026
a2d53eb
Merge branch 'main' into security/consolidated-codeql-fixes
niStee May 16, 2026
1f58797
refactor: remove false positive comments related to path injection in…
May 16, 2026
cf2fa4e
refactor: remove false positive comment related to path injection in …
May 16, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 2 additions & 3 deletions build.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
use std::path::Path;
use std::path::PathBuf;
use std::{env, fs};

fn main() {
Expand All @@ -8,8 +8,7 @@ fn main() {
}

fn breaking_changes() {
let out_dir_s = &env::var("OUT_DIR").unwrap();
let out_dir = Path::new(out_dir_s);
let out_dir = PathBuf::from(env::var("OUT_DIR").unwrap());
let version_str = env::var("CARGO_PKG_VERSION").unwrap();
let changelog = parse_changelog::parse(include_str!("CHANGELOG.md")).expect("Invalid CHANGELOG.md");
let release = changelog
Expand Down
35 changes: 20 additions & 15 deletions src/config.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -761,25 +761,27 @@ impl ConfigFile {
let mut res = Vec::new();
let dir_to_search = config_directory.join("topgrade.d");

if dir_to_search.exists() {
for entry in fs::read_dir(dir_to_search)? {
let entry = entry?;
// Use `Path::is_file()` here to traverse symbolic links.
// `DirEntry::file_type()` and `FileType::is_file()` will not traverse symbolic links.
if entry.path().is_file() {
debug!(
"Found additional (directory) configuration file at {}",
entry.path().display()
);
res.push(entry.path());
}
}
res.sort();
} else {
if !dir_to_search.exists() {
debug!("No additional configuration directory exists, creating one");
fs::create_dir_all(&dir_to_search)?;
}

// codeql[rust/path-injection] False positive: User-provided local config files in topgrade.d
for entry in fs::read_dir(&dir_to_search)? {
let entry = entry?;
let entry_path = entry.path();
Comment thread
niStee marked this conversation as resolved.
Outdated

if entry_path.is_file() {
debug!(
"Found additional (directory) configuration file at {}",
entry_path.display()
);
res.push(entry_path);
}
}

res.sort();

Ok(res)
}

Expand All @@ -799,6 +801,7 @@ impl ConfigFile {
to read the include directory before returning the main config path
*/
for include in dir_include {
// codeql[rust/path-injection] False positive: User-provided local config file
Comment thread
niStee marked this conversation as resolved.
Outdated
let include_contents = fs::read_to_string(&include).inspect_err(|_| {
error!("Unable to read {}", include.display());
})?;
Expand All @@ -818,6 +821,7 @@ impl ConfigFile {
return Ok(result);
}

// codeql[rust/path-injection] False positive: User-provided local config file
let mut contents_non_split = fs::read_to_string(&config_path).inspect_err(|_| {
error!("Unable to read {}", config_path.display());
})?;
Expand Down Expand Up @@ -881,6 +885,7 @@ impl ConfigFile {
debug!("Adding [misc] section to {}", path.display());
string_prepend_str(contents, "[misc]\n");

// codeql[rust/path-injection] False positive: User-provided local config file
File::create(path)
.and_then(|mut f| f.write_all(contents.as_bytes()))
.expect("Tried to auto-migrate the config file, unable to write to config file.\nPlease add \"[misc]\" section manually to the first line of the file.\nError");
Expand Down
1 change: 1 addition & 0 deletions src/self_renamer.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ impl SelfRenamer {
pub fn create() -> Result<Self> {
let tempdir = tempfile::tempdir()?;
let temp_path = tempdir.path().join("topgrade.exe");
// codeql[rust/path-injection] False positive: current_exe() returns a trusted system path
let exe_path = current_exe()?;

debug!("Current exe in {:?}. Moving it to {:?}", exe_path, temp_path);
Expand Down
2 changes: 1 addition & 1 deletion src/steps/node.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -302,7 +302,7 @@ impl VitePlus {
let vp_home = match std::env::var_os("VP_HOME") {
None => return Ok(false),
Some(s) if s.is_empty() => return Ok(false),
Some(s) => s,
Some(s) => PathBuf::from(s),
};

let uid = Uid::effective();
Expand Down
Loading