From 3a2970c0aee32b6205963ad769814a00ccb60c9e Mon Sep 17 00:00:00 2001 From: Ganesh Patil <7030871503ganeshpatil@gmail.com> Date: Sat, 14 Feb 2026 12:36:20 +0530 Subject: [PATCH 1/3] fix: validate arguments before usage in mkconcore.py (Issue #267) --- mkconcore.py | 85 ++++++++++++++++++++++++++-------------------------- 1 file changed, 43 insertions(+), 42 deletions(-) diff --git a/mkconcore.py b/mkconcore.py index 3b20f8e4..4d026a1e 100644 --- a/mkconcore.py +++ b/mkconcore.py @@ -75,40 +75,45 @@ import shlex # Added for POSIX shell escaping # input validation helper -def safe_name(value, context, allow_path=False): - """ - Validates that the input string does not contain characters dangerous - for filesystem paths or shell command injection. - """ - if not value: - raise ValueError(f"{context} cannot be empty") - # blocks control characters and shell metacharacters - # allow path separators and drive colons for full paths when needed - if allow_path: - pattern = r'[\x00-\x1F\x7F*?"<>|;&`$\'()]' - else: - # blocks path traversal (/, \, :) in addition to shell metacharacters - pattern = r'[\x00-\x1F\x7F\\/:*?"<>|;&`$\'()]' - if re.search(pattern, value): - raise ValueError(f"Unsafe {context}: '{value}' contains illegal characters.") - return value - -MKCONCORE_VER = "22-09-18" - -SCRIPT_DIR = os.path.dirname(os.path.abspath(__file__)) - -def _resolve_concore_path(): - script_concore = os.path.join(SCRIPT_DIR, "concore.py") - if os.path.exists(script_concore): - return SCRIPT_DIR - cwd_concore = os.path.join(os.getcwd(), "concore.py") - if os.path.exists(cwd_concore): - return os.getcwd() - return SCRIPT_DIR - -GRAPHML_FILE = sys.argv[1] -TRIMMED_LOGS = True -CONCOREPATH = _resolve_concore_path() +def safe_name(value, context, allow_path=False): + """ + Validates that the input string does not contain characters dangerous + for filesystem paths or shell command injection. + """ + if not value: + raise ValueError(f"{context} cannot be empty") + # blocks control characters and shell metacharacters + # allow path separators and drive colons for full paths when needed + if allow_path: + pattern = r'[\x00-\x1F\x7F*?"<>|;&`$\'()]' + else: + # blocks path traversal (/, \, :) in addition to shell metacharacters + pattern = r'[\x00-\x1F\x7F\\/:*?"<>|;&`$\'()]' + if re.search(pattern, value): + raise ValueError(f"Unsafe {context}: '{value}' contains illegal characters.") + return value + +MKCONCORE_VER = "22-09-18" + +SCRIPT_DIR = os.path.dirname(os.path.abspath(__file__)) + +def _resolve_concore_path(): + script_concore = os.path.join(SCRIPT_DIR, "concore.py") + if os.path.exists(script_concore): + return SCRIPT_DIR + cwd_concore = os.path.join(os.getcwd(), "concore.py") + if os.path.exists(cwd_concore): + return os.getcwd() + return SCRIPT_DIR + +if len(sys.argv) < 4: + print("Usage: python mkconcore.py [type]") + print(" type must be posix (macos or ubuntu), windows, or docker") + sys.exit(1) + +GRAPHML_FILE = sys.argv[1] +TRIMMED_LOGS = True +CONCOREPATH = _resolve_concore_path() CPPWIN = "g++" #Windows C++ 6/22/21 CPPEXE = "g++" #Ubuntu/macOS C++ 6/22/21 VWIN = "iverilog" #Windows verilog 6/25/21 @@ -152,18 +157,14 @@ def _resolve_concore_path(): sourcedir = sys.argv[2] outdir = sys.argv[3] -# Validate outdir argument (allow full paths) -safe_name(outdir, "Output directory argument", allow_path=True) +# Validate outdir argument (allow full paths) +safe_name(outdir, "Output directory argument", allow_path=True) if not os.path.isdir(sourcedir): logging.error(f"{sourcedir} does not exist") quit() -if len(sys.argv) < 4: - logging.error("usage: py mkconcore.py file.graphml sourcedir outdir [type]") - logging.error(" type must be posix (macos or ubuntu), windows, or docker") - quit() -elif len(sys.argv) == 4: +if len(sys.argv) == 4: prefixedgenode = outdir+"_" #nodes and edges prefixed with outdir_ only in case no type specified 3/24/21 concoretype = "docker" else: @@ -1227,4 +1228,4 @@ def cleanup_script_files(): os.chmod(outdir+"/clear",stat.S_IRWXU) os.chmod(outdir+"/maxtime",stat.S_IRWXU) os.chmod(outdir+"/params",stat.S_IRWXU) - os.chmod(outdir+"/unlock",stat.S_IRWXU) + os.chmod(outdir+"/unlock",stat.S_IRWXU) From 363127386efb58b43d26e6bec97ede06eaade17a Mon Sep 17 00:00:00 2001 From: Ganesh Patil <7030871503ganeshpatil@gmail.com> Date: Sat, 14 Feb 2026 12:53:50 +0530 Subject: [PATCH 2/3] fix: add safe_name validation for sourcedir argument --- mkconcore.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/mkconcore.py b/mkconcore.py index 4d026a1e..9833d03b 100644 --- a/mkconcore.py +++ b/mkconcore.py @@ -157,7 +157,8 @@ def _resolve_concore_path(): sourcedir = sys.argv[2] outdir = sys.argv[3] -# Validate outdir argument (allow full paths) +# Validate arguments (allow full paths) +safe_name(sourcedir, "Source directory argument", allow_path=True) safe_name(outdir, "Output directory argument", allow_path=True) if not os.path.isdir(sourcedir): From f8ea2a88084252abba1c2c0b0d69c9169232bc2f Mon Sep 17 00:00:00 2001 From: Ganesh Patil <7030871503ganeshpatil@gmail.com> Date: Sat, 14 Feb 2026 12:56:38 +0530 Subject: [PATCH 3/3] fix: address Copilot review - use logging.error, quit(), and validate GRAPHML_FILE --- mkconcore.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/mkconcore.py b/mkconcore.py index 9833d03b..8999b8fd 100644 --- a/mkconcore.py +++ b/mkconcore.py @@ -107,11 +107,11 @@ def _resolve_concore_path(): return SCRIPT_DIR if len(sys.argv) < 4: - print("Usage: python mkconcore.py [type]") - print(" type must be posix (macos or ubuntu), windows, or docker") - sys.exit(1) + logging.error("Usage: python mkconcore.py [type]") + logging.error(" type must be posix (macos or ubuntu), windows, or docker") + quit() -GRAPHML_FILE = sys.argv[1] +GRAPHML_FILE = safe_name(sys.argv[1], "GRAPHML file argument", allow_path=True) TRIMMED_LOGS = True CONCOREPATH = _resolve_concore_path() CPPWIN = "g++" #Windows C++ 6/22/21