Skip to content

Fix path injection vulnerability in GPS module subprocess call#1387

Merged
brianmcgillion merged 2 commits intomainfrom
copilot/fix-security-vulnerability
Sep 9, 2025
Merged

Fix path injection vulnerability in GPS module subprocess call#1387
brianmcgillion merged 2 commits intomainfrom
copilot/fix-security-vulnerability

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Sep 9, 2025
edited
Loading

This PR fixes a path injection security vulnerability in the element-gps module that was flagged by GitHub's CodeQL security scanning (alert #54).

Issue

The read_continuous_gps() function in packages/python-packages/element-gps/main.py was using a relative path when executing the gpspipe subprocess:

process = await asyncio.create_subprocess_exec(
    "./run/current-system/sw/bin/gpspipe",  # Relative path vulnerability
    "-w",
    stdin=asyncio.subprocess.PIPE,
    stdout=asyncio.subprocess.PIPE,
)

This creates a path injection vulnerability where an attacker could potentially manipulate the current working directory to execute a malicious binary instead of the intended gpspipe program.

Solution

Changed the relative path to an absolute path to ensure the correct binary is always executed:

process = await asyncio.create_subprocess_exec(
    "/run/current-system/sw/bin/gpspipe",  # Fixed with absolute path
    "-w",
    stdin=asyncio.subprocess.PIPE,
    stdout=asyncio.subprocess.PIPE,
)

Security Impact

  • Prevents path traversal attacks that could lead to arbitrary code execution
  • Ensures the correct system binary is always executed regardless of working directory
  • Maintains all existing functionality without breaking changes

Verification

  • Confirmed this was the only instance of this vulnerability pattern in the codebase
  • Python syntax validation passed
  • No functional changes to the GPS service behavior
  • Minimal surgical fix addressing only the security concern

Fixes #1386.

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

@brianmcgillion
Fix path injection vulnerability in GPS module
3581509 
- Changed relative path "./run/current-system/sw/bin/gpspipe" to absolute path "/run/current-system/sw/bin/gpspipe"
- This prevents potential path traversal attacks and command injection
- Fixes security issue flagged by CodeQL scanning

Co-authored-by: brianmcgillion <1044263+brianmcgillion@users.noreply.github.com>
Copilot AI changed the title [WIP] fix security issue Fix path injection vulnerability in GPS module subprocess call Sep 9, 2025
Copilot AI requested a review from brianmcgillion September 9, 2025 10:06
@brianmcgillion brianmcgillion marked this pull request as ready for review September 9, 2025 10:58
@brianmcgillion brianmcgillion merged commit b0bfd51 into main Sep 9, 2025
35 of 51 checks passed
@brianmcgillion brianmcgillion deleted the copilot/fix-security-vulnerability branch September 9, 2025 11:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@brianmcgillion brianmcgillion brianmcgillion approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@brianmcgillion brianmcgillion

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

fix security issue

2 participants

@brianmcgillion