diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000..24cf3ea --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,57 @@ +name: "CodeQL Advanced" + +on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + schedule: + - cron: '26 17 * * 6' + +jobs: + analyze: + name: Analyze (${{ matrix.language }}) + runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} + permissions: + security-events: write + packages: read + actions: read + contents: read + + strategy: + fail-fast: false + matrix: + include: + - language: c-cpp + build-mode: manual + - language: csharp + build-mode: none + - language: java-kotlin + build-mode: none + - language: javascript-typescript + build-mode: none + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: ${{ matrix.language }} + build-mode: ${{ matrix.build-mode }} + + # this is necessary because autobuild does not work + - if: matrix.language == 'c-cpp' + shell: bash + run: | + cd exercisefiles/c++ + cmake -S . -B build + cmake --build build + cd ../../completesolution/c++ + cmake -S . -B build + cmake --build build + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 + with: + category: "/language:${{matrix.language}}" diff --git a/completesolution/quarkus/copilot-demo/src/main/java/com/microsoft/hackathon/quarkus/DemoResource.java b/completesolution/quarkus/copilot-demo/src/main/java/com/microsoft/hackathon/quarkus/DemoResource.java index 64eb811..e160016 100644 --- a/completesolution/quarkus/copilot-demo/src/main/java/com/microsoft/hackathon/quarkus/DemoResource.java +++ b/completesolution/quarkus/copilot-demo/src/main/java/com/microsoft/hackathon/quarkus/DemoResource.java @@ -186,6 +186,9 @@ public Response parseurl(@QueryParam("url") String url) { @Produces(MediaType.APPLICATION_JSON) public Response listfiles(@QueryParam("path") String path) { Objects.requireNonNull(path, "path must not be null"); + if (path.contains("..") || path.contains("/") || path.contains("\\")) { + throw new IllegalArgumentException("Invalid path"); + } ObjectMapper mapper = new ObjectMapper(); try { List fileList = new ArrayList<>(); @@ -213,6 +216,9 @@ public Response listfiles(@QueryParam("path") String path) { public Response countWord(@QueryParam("path") String path, @QueryParam("word") String word) { Objects.requireNonNull(path, "path must not be null"); Objects.requireNonNull(word, "word must not be null"); + if (path.contains("..") || path.contains("/") || path.contains("\\")) { + throw new IllegalArgumentException("Invalid path"); + } java.nio.file.Path filePath = Paths.get(path); String content; int count = 0; @@ -241,6 +247,9 @@ public Response countWord(@QueryParam("path") String path, @QueryParam("word") S @Produces(MediaType.APPLICATION_OCTET_STREAM) public Response zipFolder(@QueryParam("path") String path) { Objects.requireNonNull(path, "path must not be null"); + if (path.contains("..") || path.contains("/") || path.contains("\\")) { + throw new IllegalArgumentException("Invalid path"); + } java.nio.file.Path folderPath = Paths.get(path); File folder = folderPath.toFile(); if (!folder.exists()) { diff --git a/completesolution/springboot/copilot-demo/src/main/java/com/microsoft/hackathon/copilotdemo/controller/DemoController.java b/completesolution/springboot/copilot-demo/src/main/java/com/microsoft/hackathon/copilotdemo/controller/DemoController.java index 2794542..5c4e669 100644 --- a/completesolution/springboot/copilot-demo/src/main/java/com/microsoft/hackathon/copilotdemo/controller/DemoController.java +++ b/completesolution/springboot/copilot-demo/src/main/java/com/microsoft/hackathon/copilotdemo/controller/DemoController.java @@ -141,6 +141,9 @@ public String parseurl(@RequestParam(name = "url", required = false) String url) @GetMapping(value = "/list-files", produces = MediaType.APPLICATION_JSON_VALUE) public ResponseEntity listFiles(@RequestParam(name = "path") String pathString) { try { + if (pathString.contains("..") || pathString.contains("/") || pathString.contains("\\")) { + throw new IllegalArgumentException("Invalid pathString"); + } File path = new File(pathString); if (!path.exists()) { return ResponseEntity.notFound().build(); @@ -166,6 +169,9 @@ public ResponseEntity listFiles(@RequestParam(name = "path") String path @GetMapping(value = "/count-word", produces = MediaType.APPLICATION_JSON_VALUE) public ResponseEntity countWord(@RequestParam(name = "path") String pathString, @RequestParam(name = "word") String word) { try { + if (pathString.contains("..") || pathString.contains("/") || pathString.contains("\\")) { + throw new IllegalArgumentException("Invalid pathString"); + } File file = new File(pathString); if (!file.exists()) { return ResponseEntity.notFound().build(); @@ -193,6 +199,9 @@ public ResponseEntity countWord(@RequestParam(name = "path") String path @GetMapping(value = "/zip-folder", produces = MediaType.APPLICATION_OCTET_STREAM_VALUE) public ResponseEntity zipFolder(@RequestParam(name = "path") String pathString) { try { + if (pathString.contains("..") || pathString.contains("/") || pathString.contains("\\")) { + throw new IllegalArgumentException("Invalid pathString"); + } File folder = new File(pathString); if (!folder.exists()) { return ResponseEntity.notFound().build();