Skip to content

Potential fix for code scanning alert no. 48: Uncontrolled command line#106

Merged
meraedit merged 1 commit into
masterfrom
alert-autofix-48_
Jul 1, 2026
Merged

Potential fix for code scanning alert no. 48: Uncontrolled command line#106
meraedit merged 1 commit into
masterfrom
alert-autofix-48_

Conversation

@meraedit

@meraedit meraedit commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Potential fix for https://github.com/Servoy/servoy-eclipse/security/code-scanning/48

General fix approach: keep using ProcessBuilder with separated arguments, but enforce strict allowlisting of what executable/application path can be launched, and ensure untrusted values can only select among expected literals/paths.

Best single fix (without changing functionality): in StartNGDesktopClientHandler.java, before calling builder.command(...), add a strict validation that the resolved executable/app path filename is exactly the expected NG Desktop binary/app name for the current OS (servoyngdesktop or servoyngdesktop.app) and reject anything else. Then keep current execution logic. This complements existing path-boundary checks and addresses CodeQL’s taint concern by proving the launched target is fixed/allowlisted, not arbitrary user-controlled.

Needed changes:

  • File: com.servoy.eclipse.debug/src/com/servoy/eclipse/debug/handlers/StartNGDesktopClientHandler.java
  • Region: around lines 449–473 (path checks + process start)
  • Add a small local validation block (or helper method if already shown; here local block is safest with given snippet constraints).
  • No new dependency required; use existing JDK APIs already imported.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@meraedit meraedit marked this pull request as ready for review July 1, 2026 13:24
@meraedit meraedit merged commit 5038a32 into master Jul 1, 2026
6 checks passed
@meraedit meraedit deleted the alert-autofix-48_ branch July 1, 2026 13:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant