fix: address CodeQL path-injection alerts and second-round review findings

Aureliolo · claude · Aureliolo · commit fe1595fbc1eb · 2026-03-28T15:18:59.000+01:00
- Extract hintComposeRestart helper with CodeQL-tracing comment to fix
  go/path-injection alerts on config.SecurePath calls in hintAfterConfigSet
  and runConfigUnset (both now call shared helper)
- Guard post-run logsFilterHint on !logFollow to prevent duplicate emission
- Make doctorAutoFix return bool; only show "run doctor again" when fixes ran

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/cli/cmd/config.go b/cli/cmd/config.go
@@ -304,13 +304,7 @@ func runConfigSet(cmd *cobra.Command, args []string) error {
 // hintAfterConfigSet emits contextual guidance after a config set operation.
 func hintAfterConfigSet(out *ui.UI, key, value, dataDir string) {
 	if composeAffectingKeys[key] {
-		// Only hint about restart if compose.yml exists (pre-init users have no stack).
-		safeDir, secErr := config.SecurePath(dataDir)
-		if secErr == nil {
-			if _, statErr := os.Stat(filepath.Join(safeDir, "compose.yml")); statErr == nil {
-				out.HintGuidance("Restart containers with 'synthorg stop && synthorg start' to apply the new value.")
-			}
-		}
+		hintComposeRestart(out, dataDir, "new value")
 	}
 
 	switch key {
@@ -345,6 +339,20 @@ func hintAfterConfigSet(out *ui.UI, key, value, dataDir string) {
 	}
 }
 
+// hintComposeRestart emits a restart hint only when compose.yml exists.
+// Pre-init users have no stack, so the hint would be misleading.
+func hintComposeRestart(out *ui.UI, dataDir, what string) {
+	// Use config.SecurePath directly so that CodeQL can trace the
+	// sanitization for go/path-injection.
+	safeDir, err := config.SecurePath(dataDir)
+	if err != nil {
+		return
+	}
+	if _, statErr := os.Stat(filepath.Join(safeDir, "compose.yml")); statErr == nil {
+		out.HintGuidance(fmt.Sprintf("Restart containers with 'synthorg stop && synthorg start' to apply the %s.", what))
+	}
+}
+
 // applyConfigValue validates and applies a single key=value to state.
 func applyConfigValue(state *config.State, key, value string) error {
 	switch key {
@@ -502,12 +510,7 @@ func runConfigUnset(cmd *cobra.Command, args []string) error {
 	}
 	out.Success(fmt.Sprintf("Reset %s to default", key))
 	if composeAffectingKeys[key] {
-		safeDir, secErr := config.SecurePath(state.DataDir)
-		if secErr == nil {
-			if _, statErr := os.Stat(filepath.Join(safeDir, "compose.yml")); statErr == nil {
-				out.HintGuidance("Restart containers with 'synthorg stop && synthorg start' to apply the default value.")
-			}
-		}
+		hintComposeRestart(out, state.DataDir, "default value")
 	}
 	return nil
 }
diff --git a/cli/cmd/doctor.go b/cli/cmd/doctor.go
@@ -128,8 +128,10 @@ func runDoctor(cmd *cobra.Command, _ []string) error {
 	}
 
 	if doctorFix {
-		doctorAutoFix(ctx, cmd, out, errOut, state, report, safeDir)
-		out.HintGuidance("Run 'synthorg doctor' again to verify fixes.")
+		fixed := doctorAutoFix(ctx, cmd, out, errOut, state, report, safeDir)
+		if fixed {
+			out.HintGuidance("Run 'synthorg doctor' again to verify fixes.")
+		}
 	}
 
 	if status != doctorHealthy && !doctorFix {
@@ -197,14 +199,14 @@ func renderDoctorFiltered(out *ui.UI, report diagnostics.Report, state config.St
 // then executes fixes in correct order (compose first, restart once after).
 // Only acts on issues matching the --checks filter. Non-fatal: prints
 // results but does not return errors.
-func doctorAutoFix(ctx context.Context, _ *cobra.Command, out, errOut *ui.UI, state config.State, report diagnostics.Report, safeDir string) {
+func doctorAutoFix(ctx context.Context, _ *cobra.Command, out, errOut *ui.UI, state config.State, report diagnostics.Report, safeDir string) bool {
 	_, _ = fmt.Fprintln(out.Writer())
 	out.Section("Auto-fix")
 
 	status, issues := classifyDoctor(report)
 	if status == doctorHealthy {
 		out.Success("All systems healthy -- nothing to fix")
-		return
+		return false
 	}
 
 	// Phase 1: scan issues and determine needed actions.
@@ -227,7 +229,7 @@ func doctorAutoFix(ctx context.Context, _ *cobra.Command, out, errOut *ui.UI, st
 
 	if !needComposeFix && !needRestart && len(unfixable) == 0 {
 		out.Success("No fixable issues in selected checks")
-		return
+		return false
 	}
 
 	// Phase 2: execute fixes in correct order (compose before restart).
@@ -257,6 +259,7 @@ func doctorAutoFix(ctx context.Context, _ *cobra.Command, out, errOut *ui.UI, st
 	for _, issue := range unfixable {
 		out.HintNextStep(fmt.Sprintf("No auto-fix available for: %s", issue))
 	}
+	return needComposeFix || needRestart
 }
 
 // doctorFixCompose regenerates compose.yml from the embedded template.
diff --git a/cli/cmd/logs.go b/cli/cmd/logs.go
@@ -94,7 +94,9 @@ func runLogs(cmd *cobra.Command, args []string) error {
 	}
 
 	out.HintTip("Use -f to follow log output in real time.")
-	out.HintGuidance(logsFilterHint)
+	if !logFollow {
+		out.HintGuidance(logsFilterHint)
+	}
 	return nil
 }
 

Original file line number	Diff line number	Diff line change
`@@ -94,7 +94,9 @@ func runLogs(cmd *cobra.Command, args []string) error {`
`94`	`94`	`}`
`95`	`95`
`96`	`96`	`out.HintTip("Use -f to follow log output in real time.")`
`97`		`- out.HintGuidance(logsFilterHint)`
	`97`	`+ if !logFollow {`
	`98`	`+ out.HintGuidance(logsFilterHint)`
	`99`	`+ }`
`98`	`100`	`return nil`
`99`	`101`	`}`
`100`	`102`