[NEW QUERY] Add pathlib.Path.resolve() and is_relative_to() as path injection sanitizers

[Copilot]

📝 Query Information

• Language: Python
• Query ID: python/detect-unsanitized-rglob-path-traversal
• Category: Security
• Severity: warning
• CWE/CVE: CWE-22

🎯 Description

What This Query Detects

The standard py/path-injection query does not recognize pathlib.Path.resolve() as path normalization or pathlib.Path.is_relative_to() as a safe access check — despite their os.path equivalents (realpath, startswith) already being modeled. This causes false positives when the idiomatic pathlib sanitization pattern is used.

This PR extends the standard library's two-state flow machine (NotNormalized → NormalizedUnchecked) via its OO extension points:

• PathlibResolveCall extends Path::PathNormalization::Range (analogous to OsPathRealpathCall in Stdlib.qll:~1065)
• IsRelativeToCall extends Path::SafeAccessCheck::Range (analogous to StartswithCall in Stdlib.qll:~5090)

Both sanitizers must be applied together (normalize then check) for the flow to be blocked — matching the standard library's intended design.

Example Vulnerable Code

# Detected: no sanitization
def get_summary(job_id):
    job_dir = JOBS_ROOT / job_id
    matches = list(job_dir.rglob("summary.csv"))

Example Safe Code

# Not detected: resolve() + is_relative_to() breaks the taint flow
def get_summary(job_id):
    job_dir = JOBS_ROOT / job_id
    resolved = job_dir.resolve()
    if not resolved.is_relative_to(JOBS_ROOT):
        raise ValueError("path escapes root")
    matches = list(resolved.rglob("summary.csv"))

Upstream re-bundling note

CodeQL is extensible via OO here — no custom query would be needed if these two classes were added directly to semmle/python/frameworks/Stdlib.qll in the standard library. The custom query exists only because the standard py/path-injection doesn't import our extensions.

🧪 Testing

• Positive test cases included
• Negative test cases included
• Edge cases covered
• All tests pass

Seven scenarios tested: unsanitized rglob, sanitized rglob (resolve+is_relative_to), resolve-only, check-only, sanitized open, unsanitized open, and existing realpath+startswith regression.

📋 Checklist

• Query compiles without errors
• Documentation complete (.md and .qhelp)
• Metadata properly set (@name, @id, @kind, etc.)
• Tests validate query behavior
• No false positives in test cases

🔗 References

• pathlib.Path.resolve()
• pathlib.PurePath.is_relative_to()
• CWE-22: Path Traversal
• Standard library equivalents: OsPathRealpathCall and StartswithCall in Stdlib.qll

---

Note: This query was developed using Test-Driven Development methodology.

---

📍 Connect Copilot coding agent with Jira, Azure Boards or Linear to delegate work to Copilot in one click without leaving your project management tool.