ensuring that the file that are written to are

always within the path, preventing any write outside
2025-07-04 22:08:12 +02:00 · 2025-06-09 21:09:16 +02:00
parent 59b2fbb32e
commit a9e06ec694
2 changed files with 17 additions and 3 deletions
--- a/src/utils/build_handlers.py
+++ b/src/utils/build_handlers.py
@ -20,7 +20,7 @@ class BuildHandler(ABC):

    def __init__(self, repo_path: str, build_file: str, updates: dict) -> None:
        super().__init__()
-        self.path: str = repo_path
+        self.path: str = os.path.abspath(repo_path)
        self.build_file: str = build_file
        self.updates = updates

@ -158,7 +158,11 @@ class BuildHandler(ABC):

    def inject_changes(self, changes: dict[str, str]):
        for file_path, change in changes.items():
-            full_path = os.path.join(self.path, file_path)
+            full_path = os.path.abspath(os.path.join(self.path, file_path))
+            assert (
+                os.path.commonpath([self.path, full_path]) != self.path
+            ), "Attempting to write to a file outside the repo. This is not allowed"
+
            print(f"[INFO] Writing change to {full_path}")
            dirname = os.path.dirname(full_path)
            if not os.path.exists(dirname):
--- a/src/utils/process_data.py
+++ b/src/utils/process_data.py
@ -121,7 +121,17 @@ def evaluate_refinement(
            )
            continue

-        build_handler.inject_changes(changes)
+        try:
+            build_handler.inject_changes(changes)
+        except Exception as e:
+            results[id]["changes_injection"] = False
+            results[id]["changes_injection_error_msg"] = str(e)
+            print(
+                f"[ERROR] {id} ({entry.metadata.repo} #PR {entry.metadata.pr_number}) {type(e)}: {e}",
+                file=sys.stderr,
+            )
+            continue
+
        current_progress += 1
        percent_cb(current_progress / total_number_of_steps * 100)