Adding CodeQL advanced config (#49)

* Update instructions to add more clarity

* Initial import of exercise files

* Initial devcontainer config for cmake

* Updating container config

* Completing exercises

* Update main README

* Create codeql.yml

Adding advanced CodeQL scanning since autobuild fails for c++ projects

* Update DemoController.java

Fixing user-defined path vulnerability

* Update DemoController.java

Fix user-defined path

* Update DemoResource.java

Fix user-defined path vulnerability

.github/workflows/codeql.yml

@@ -0,0 +1,57 @@
+name: "CodeQL Advanced"
+
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    branches: [ "main" ]
+  schedule:
+    - cron: '26 17 * * 6'
+
+jobs:
+  analyze:
+    name: Analyze (${{ matrix.language }})
+    runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
+    permissions:
+      security-events: write
+      packages: read
+      actions: read
+      contents: read
+
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+        - language: c-cpp
+          build-mode: manual
+        - language: csharp
+          build-mode: none
+        - language: java-kotlin
+          build-mode: none
+        - language: javascript-typescript
+          build-mode: none
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v3
+      with:
+        languages: ${{ matrix.language }}
+        build-mode: ${{ matrix.build-mode }}
+
+    # this is necessary because autobuild does not work
+    - if: matrix.language == 'c-cpp'
+      shell: bash
+      run: |
+        cd exercisefiles/c++
+        cmake -S . -B build
+        cmake --build build
+        cd ../../completesolution/c++
+        cmake -S . -B build
+        cmake --build build
+        
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v3
+      with:
+        category: "/language:${{matrix.language}}"

completesolution/quarkus/copilot-demo/src/main/java/com/microsoft/hackathon/quarkus/DemoResource.java

@@ -186,6 +186,9 @@ public Response parseurl(@QueryParam("url") String url) {
     @Produces(MediaType.APPLICATION_JSON)
     public Response listfiles(@QueryParam("path") String path) {
         Objects.requireNonNull(path, "path must not be null");
+        if (path.contains("..") || path.contains("/") || path.contains("\\")) {
+            throw new IllegalArgumentException("Invalid path");
+        }
         ObjectMapper mapper = new ObjectMapper();
         try {
             List<JsonNode> fileList = new ArrayList<>();
@@ -213,6 +216,9 @@ public Response listfiles(@QueryParam("path") String path) {
     public Response countWord(@QueryParam("path") String path, @QueryParam("word") String word) {
         Objects.requireNonNull(path, "path must not be null");
         Objects.requireNonNull(word, "word must not be null");
+        if (path.contains("..") || path.contains("/") || path.contains("\\")) {
+            throw new IllegalArgumentException("Invalid path");
+        }
         java.nio.file.Path filePath = Paths.get(path);
         String content;
         int count = 0;
@@ -241,6 +247,9 @@ public Response countWord(@QueryParam("path") String path, @QueryParam("word") S
     @Produces(MediaType.APPLICATION_OCTET_STREAM)
     public Response zipFolder(@QueryParam("path") String path) {
         Objects.requireNonNull(path, "path must not be null");
+        if (path.contains("..") || path.contains("/") || path.contains("\\")) {
+            throw new IllegalArgumentException("Invalid path");
+        }
         java.nio.file.Path folderPath = Paths.get(path);
         File folder = folderPath.toFile();
         if (!folder.exists()) {

completesolution/springboot/copilot-demo/src/main/java/com/microsoft/hackathon/copilotdemo/controller/DemoController.java

@@ -141,6 +141,9 @@ public String parseurl(@RequestParam(name = "url", required = false) String url)
     @GetMapping(value = "/list-files", produces = MediaType.APPLICATION_JSON_VALUE)
     public ResponseEntity<String> listFiles(@RequestParam(name = "path") String pathString) {
         try {
+            if (pathString.contains("..") || pathString.contains("/") || pathString.contains("\\")) {
+        		throw new IllegalArgumentException("Invalid pathString");
+        	}
             File path = new File(pathString);
             if (!path.exists()) {
                 return ResponseEntity.notFound().build();
@@ -166,6 +169,9 @@ public ResponseEntity<String> listFiles(@RequestParam(name = "path") String path
     @GetMapping(value = "/count-word", produces = MediaType.APPLICATION_JSON_VALUE)
     public ResponseEntity<String> countWord(@RequestParam(name = "path") String pathString, @RequestParam(name = "word") String word) {
         try {
+            if (pathString.contains("..") || pathString.contains("/") || pathString.contains("\\")) {
+        		throw new IllegalArgumentException("Invalid pathString");
+        	}
             File file = new File(pathString);
             if (!file.exists()) {
                 return ResponseEntity.notFound().build();
@@ -193,6 +199,9 @@ public ResponseEntity<String> countWord(@RequestParam(name = "path") String path
     @GetMapping(value = "/zip-folder", produces = MediaType.APPLICATION_OCTET_STREAM_VALUE)
     public ResponseEntity<Resource> zipFolder(@RequestParam(name = "path") String pathString) {
         try {
+            if (pathString.contains("..") || pathString.contains("/") || pathString.contains("\\")) {
+        		throw new IllegalArgumentException("Invalid pathString");
+        	}
             File folder = new File(pathString);
             if (!folder.exists()) {
                 return ResponseEntity.notFound().build();