refactor(codeql): decompose complex conditions + harden Vite web-root check#227
Open
rlorenzo wants to merge 2 commits into
Open
refactor(codeql): decompose complex conditions + harden Vite web-root check#227rlorenzo wants to merge 2 commits into
rlorenzo wants to merge 2 commits into
Conversation
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #227 +/- ##
==========================================
- Coverage 44.49% 44.47% -0.02%
==========================================
Files 895 895
Lines 51655 51673 +18
Branches 4812 4819 +7
==========================================
Hits 22983 22983
- Misses 28108 28124 +16
- Partials 564 566 +2
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Harness. |
Bundle ReportBundle size has no change ✅ |
There was a problem hiding this comment.
Pull request overview
Refactors several complex boolean conditions into named sub-conditions / guard clauses to address CodeQL cs/complex-condition findings while keeping behavior the same.
Changes:
CMS.CheckFilePermission: adds an early-return for public files and extracts permission checks into named booleans.ScheduleEditService: deduplicates duplicate/constraint message checks via a helper method.ViteProxyHelpers.CreateProxyRequest: extracts named booleans for “method supports body” and “has readable body”.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| web/ViteProxyHelpers.cs | Simplifies proxy request body-copy condition via named booleans. |
| web/Areas/CMS/Data/CMS.cs | Refactors CMS file permission logic into guard clause + named condition variables. |
| web/Areas/ClinicalScheduler/Services/ScheduleEditService.cs | Extracts DB constraint/duplicate detection into a helper for reuse. |
rlorenzo
force-pushed
the
refactor/codeql-complex-condition
branch
from
36fb462 to
472d0e8
Compare
rlorenzo
force-pushed
the
refactor/codeql-complex-condition
branch
from
472d0e8 to
65a70be
Compare
Extract named sub-conditions / guard clauses to clear cs/complex-condition findings, behavior-preserving: - CMS.CheckFilePermission: early-return guard clauses; resolve the user's permissions once into an OrdinalIgnoreCase HashSet instead of re-querying per file permission (removes an O(n^2) scan). - ViteProxyHelpers.CreateProxyRequest: methodSupportsBody / hasReadableBody named bools, comparing the request method with OrdinalIgnoreCase rather than allocating an uppercased copy.
Append a trailing separator to the resolved web root before the StartsWith containment check so a sibling directory (e.g. wwwroot-secret) cannot satisfy the prefix check against wwwroot and bypass the directory-traversal guard when serving Vite static files.
rlorenzo
force-pushed
the
refactor/codeql-complex-condition
branch
from
3199d4b to
3ceffd8
Compare
rlorenzo
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
1. Decompose complex boolean conditions (
cs/complex-condition), behavior-preserving:CMS.CheckFilePermission— early-return guard clauses; resolve the user's permissions once into anOrdinalIgnoreCaseHashSet instead of an O(n²) per-permission scan.ViteProxyHelpers.CreateProxyRequest—methodSupportsBody/hasReadableBodynamed bools.2. Fix a directory-boundary bug (folded-in follow-up): the Vite static-file path check used
resolvedPhysical.StartsWith(resolvedWebRoot), which a sibling likewwwroot-secretwould pass. Append a trailing separator (viaPath.EndsInDirectorySeparator) so the check respects the directory boundary.Scope
ScheduleEditServicewas removed from this PR to avoid overlapping with #229 — that PR owns the duplicate-detection fix (SqlException.Number), which also clears thecomplex-conditionalert there. 14 othercomplex-conditionalerts were dismissed (EF/LINQ predicates that must stay single expressions, plus test-file chains).Two commits: the refactor and the security fix are kept separate.