Skip to content

Commit af3cca6

Browse files
data-douserdata-douser
committed
fix: address PR #153 review comments for path resolution
- Remove absolute path from 'does not exist' warning to avoid leaking local machine paths into prompt context sent to LLMs - Add blockedPathError() helper and check blocked flag at all 12 resolvePromptFilePath call sites so traversal attempts short-circuit with a clear inline error instead of silently proceeding - Add tests for both behaviors
1 parent ef7517c commit af3cca6

4 files changed

Lines changed: 108 additions & 4 deletions

File tree

server/dist/codeql-development-mcp-server.js

Lines changed: 28 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -64485,6 +64485,22 @@ function markdownInlineCode(value) {
6448564485
const fence = "`".repeat(maxRun + 1);
6448664486
return `${fence}${normalized}${fence}`;
6448764487
}
64488+
function blockedPathError(result, paramName) {
64489+
const message = result.warning ?? `The provided ${paramName} could not be resolved safely and cannot be used.`;
64490+
return {
64491+
messages: [
64492+
{
64493+
role: "user",
64494+
content: {
64495+
type: "text",
64496+
text: `${message}
64497+
64498+
The workflow cannot proceed because the ${paramName} is not allowed.`
64499+
}
64500+
}
64501+
]
64502+
};
64503+
}
6448864504
async function resolvePromptFilePath(filePath, workspaceRoot) {
6448964505
if (!filePath || filePath.trim() === "") {
6449064506
return {
@@ -64523,7 +64539,7 @@ async function resolvePromptFilePath(filePath, workspaceRoot) {
6452364539
} catch {
6452464540
return {
6452564541
resolvedPath: absolutePath,
64526-
warning: `\u26A0 **File path** ${markdownInlineCode(filePath)} **does not exist.** Resolved to: ${markdownInlineCode(absolutePath)}`
64542+
warning: `\u26A0 **File path** ${markdownInlineCode(filePath)} **does not exist.**`
6452764543
};
6452864544
}
6452964545
return { resolvedPath: absolutePath };
@@ -64726,6 +64742,7 @@ ${content}`
6472664742
const template = loadPromptTemplate("tools-query-workflow.prompt.md");
6472764743
const warnings = [];
6472864744
const dbResult = await resolvePromptFilePath(database);
64745+
if (dbResult.blocked) return blockedPathError(dbResult, "database path");
6472964746
const resolvedDatabase = dbResult.resolvedPath;
6473064747
if (dbResult.warning) warnings.push(dbResult.warning);
6473164748
const content = processPromptTemplate(template, {
@@ -64765,6 +64782,7 @@ ${content}`
6476564782
const template = loadPromptTemplate("workshop-creation-workflow.prompt.md");
6476664783
const warnings = [];
6476764784
const qpResult = await resolvePromptFilePath(queryPath);
64785+
if (qpResult.blocked) return blockedPathError(qpResult, "query path");
6476864786
const resolvedQueryPath = qpResult.resolvedPath;
6476964787
if (qpResult.warning) warnings.push(qpResult.warning);
6477064788
const derivedName = workshopName || basename7(resolvedQueryPath).replace(/\.(ql|qlref)$/, "").toLowerCase().replace(/[^a-z0-9]+/g, "-") || "codeql-workshop";
@@ -64833,6 +64851,7 @@ ${content}`
6483364851
let resolvedDatabase = database;
6483464852
if (database) {
6483564853
const dbResult = await resolvePromptFilePath(database);
64854+
if (dbResult.blocked) return blockedPathError(dbResult, "database path");
6483664855
resolvedDatabase = dbResult.resolvedPath;
6483764856
if (dbResult.warning) warnings.push(dbResult.warning);
6483864857
}
@@ -64874,6 +64893,7 @@ ${content}`
6487464893
const template = loadPromptTemplate("sarif-rank-false-positives.prompt.md");
6487564894
const warnings = [];
6487664895
const spResult = await resolvePromptFilePath(sarifPath);
64896+
if (spResult.blocked) return blockedPathError(spResult, "SARIF path");
6487764897
const resolvedSarifPath = spResult.resolvedPath;
6487864898
if (spResult.warning) warnings.push(spResult.warning);
6487964899
let contextSection = "## Analysis Context\n\n";
@@ -64910,6 +64930,7 @@ ${content}`
6491064930
const template = loadPromptTemplate("sarif-rank-true-positives.prompt.md");
6491164931
const warnings = [];
6491264932
const spResult = await resolvePromptFilePath(sarifPath);
64933+
if (spResult.blocked) return blockedPathError(spResult, "SARIF path");
6491364934
const resolvedSarifPath = spResult.resolvedPath;
6491464935
if (spResult.warning) warnings.push(spResult.warning);
6491564936
let contextSection = "## Analysis Context\n\n";
@@ -64946,6 +64967,7 @@ ${content}`
6494664967
const template = loadPromptTemplate("run-query-and-summarize-false-positives.prompt.md");
6494764968
const warnings = [];
6494864969
const qpResult = await resolvePromptFilePath(queryPath);
64970+
if (qpResult.blocked) return blockedPathError(qpResult, "query path");
6494964971
const resolvedQueryPath = qpResult.resolvedPath;
6495064972
if (qpResult.warning) warnings.push(qpResult.warning);
6495164973
const contextSection = `## Analysis Context
@@ -64979,11 +65001,13 @@ ${content}`
6497965001
const template = loadPromptTemplate("explain-codeql-query.prompt.md");
6498065002
const warnings = [];
6498165003
const qpResult = await resolvePromptFilePath(queryPath);
65004+
if (qpResult.blocked) return blockedPathError(qpResult, "query path");
6498265005
const resolvedQueryPath = qpResult.resolvedPath;
6498365006
if (qpResult.warning) warnings.push(qpResult.warning);
6498465007
let resolvedDatabasePath = databasePath;
6498565008
if (databasePath) {
6498665009
const dbResult = await resolvePromptFilePath(databasePath);
65010+
if (dbResult.blocked) return blockedPathError(dbResult, "database path");
6498765011
resolvedDatabasePath = dbResult.resolvedPath;
6498865012
if (dbResult.warning) warnings.push(dbResult.warning);
6498965013
}
@@ -65023,6 +65047,7 @@ ${content}`
6502365047
const template = loadPromptTemplate("document-codeql-query.prompt.md");
6502465048
const warnings = [];
6502565049
const qpResult = await resolvePromptFilePath(queryPath);
65050+
if (qpResult.blocked) return blockedPathError(qpResult, "query path");
6502665051
const resolvedQueryPath = qpResult.resolvedPath;
6502765052
if (qpResult.warning) warnings.push(qpResult.warning);
6502865053
const contextSection = `## Query to Document
@@ -65107,11 +65132,13 @@ ${workspaceUri ? `- **Workspace URI**: ${workspaceUri}
6510765132
const template = loadPromptTemplate("ql-lsp-iterative-development.prompt.md");
6510865133
const warnings = [];
6510965134
const qpResult = await resolvePromptFilePath(queryPath);
65135+
if (qpResult.blocked) return blockedPathError(qpResult, "query path");
6511065136
const resolvedQueryPath = qpResult.resolvedPath;
6511165137
if (qpResult.warning) warnings.push(qpResult.warning);
6511265138
let resolvedWorkspaceUri = workspaceUri;
6511365139
if (workspaceUri) {
6511465140
const wsResult = await resolvePromptFilePath(workspaceUri);
65141+
if (wsResult.blocked) return blockedPathError(wsResult, "workspace URI");
6511565142
resolvedWorkspaceUri = wsResult.resolvedPath;
6511665143
if (wsResult.warning) warnings.push(wsResult.warning);
6511765144
}

0 commit comments

Comments
 (0)