Potential fix for code scanning alert no. 10: Server-side request forgery #1
No reviewers
Labels
No labels
bug
documentation
duplicate
enhancement
future idea
good first issue
help wanted
invalid
question
roadmap:phase-agents
roadmap:phase-backend
roadmap:phase-cli
roadmap:phase-docs
roadmap:phase-foundation
roadmap:phase-hardening
roadmap:phase-installer
roadmap:phase-plugins
roadmap:phase-runtime
roadmap:phase-store
roadmap:status-active
roadmap:status-blocked
roadmap:status-done
roadmap:status-planned
roadmap:v2-agent-orchestration
roadmap:v2-auth
roadmap:v2-chat-runtime
roadmap:v2-cli
roadmap:v2-dashboard
roadmap:v2-hardening
roadmap:v2-model-providers
roadmap:v2-plugins-store
roadmap:v2-realtime
wontfix
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
FTMahringer/Synapse!1
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "alert-autofix-10"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Potential fix for https://github.com/FTMahringer/Synapse/security/code-scanning/10
Use strict canonical path validation before converting to URL/classloading:
PluginLoaderService.loadPlugin(...), resolve both the plugins root and input JAR path withtoRealPath(...)(after existence checks), then enforce containment using canonical paths.toUri().toURL()(safe after canonical allowlist check), removing manual string URL construction.Target file/region:
packages/core/src/main/java/dev/synapse/plugins/loader/PluginLoaderService.javanormalize()/startsWith+ manualfile://URL assembly block inloadPlugin(...)(around lines 86–134 in provided snippet).No new dependencies are required.
Suggested fixes powered by Copilot Autofix. Review carefully before merging.
@ -123,0 +121,4 @@e);}CodeQL / Uncontrolled data used in path expression
This path depends on a user-provided value.
Show more details
Pull request overview
This PR aims to address CodeQL alert #10 (server-side request forgery / path confusion) by tightening plugin JAR path validation before converting paths to URLs and classloading, primarily in
PluginLoaderService.loadPlugin(...).Changes:
toRealPath()+ containment checks, and build the JAR URL viatoUri().toURL()only after validation.jarPathto a “safe filename”.Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.
file://building withtoRealPath()containment and safe URL creation.Comments suppressed due to low confidence (1)
packages/core/src/main/java/dev/synapse/plugins/loader/PluginUpdateService.java:117
stageJar(...)copies from the providedsourceJarpath. PassingjarFileNamehere means the source becomes a relative path likemyplugin.jar, which will typically not exist (and will break updates) unless the process working directory happens to contain that file. Pass the actual source path being updated from, or (if the API is meant to accept only a filename) resolve the source against a known directory (e.g., staging/incoming) and validate it exists as a regular file before copying.💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
@ -183,1 +194,4 @@id,Path.of(trimmed).getFileName());Plugin dbPlugin = lifecycleService.findById(id);The endpoint now reduces the request to
Path.of(trimmed).getFileName()(i.e., only a filename). But the update flow still stages/copies the JAR from the provided path, so sending only a filename will usually fail to locate the source file. Either accept a full path (with canonical allowlist validation) or make the endpoint semantics explicitly “jar name already present in staging/” and adjust the service accordingly.@ -64,0 +67,4 @@pluginId,"Invalid JAR path: only a file name is allowed");}This new validation requires
newJarPathto be only a single filename segment. That changes theupdatePlugincontract (it previously accepted a path to the new JAR) and doesn’t match the rest of the method, which stages/copies from a source path. Consider keepingnewJarPathas a path but applying canonical containment/regular-file validation (similar toPluginLoaderService), or update the staging logic to treat the input as a jar name already present in a specific directory.This issue also appears on line 114 of the same file.