Add Path Validation for DiskBasedResponseCache and DiskBasedResultStore#7397
Merged
peterwald merged 13 commits intodotnet:mainfrom Mar 18, 2026
Merged
Add Path Validation for DiskBasedResponseCache and DiskBasedResultStore#7397peterwald merged 13 commits intodotnet:mainfrom
peterwald merged 13 commits intodotnet:mainfrom
Conversation
github-actions
Bot
added
the
area-ai-eval
Contributor
There was a problem hiding this comment.
Pull request overview
Adds centralized filesystem path-segment validation to prevent path traversal in disk-backed evaluation reporting storage components, improving safety when user-controlled names influence on-disk paths.
Changes:
- Introduces
PathValidationutility for validating path segments and ensuring resolved paths stay within a configured root. - Applies validation/containment checks in
DiskBasedResultStoreandDiskBasedResponseCache. - Adds unit + integration tests covering valid/invalid segments and traversal attempts.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| test/Libraries/Microsoft.Extensions.AI.Evaluation.Reporting.Tests/DiskBased/PathValidationTests.cs | Adds coverage for path-segment validation, root containment, and traversal rejection in disk-backed components. |
| src/Libraries/Microsoft.Extensions.AI.Evaluation.Reporting/CSharp/Utilities/PathValidation.cs | New shared helper to validate path segments and prevent resolved paths from escaping a configured root. |
| src/Libraries/Microsoft.Extensions.AI.Evaluation.Reporting/CSharp/Storage/DiskBasedResultStore.cs | Validates inputs and ensures constructed paths remain under the results root to prevent traversal. |
| src/Libraries/Microsoft.Extensions.AI.Evaluation.Reporting/CSharp/Storage/DiskBasedResponseCache.cs | Validates scenario/iteration/key segments and ensures cache paths stay within the cache root. |
Comments suppressed due to low confidence (1)
test/Libraries/Microsoft.Extensions.AI.Evaluation.Reporting.Tests/DiskBased/PathValidationTests.cs:203
- xUnit async tests should return Task rather than using
async void. Usingasync voidcan lead to unobserved exceptions and flaky behavior; update the signature topublic async Task ....
[Fact]
public async void DiskBasedResponseCacheProvider_TraversalInScenarioName_Throws()
{
You can also share your feedback on Copilot code review. Take the survey.
Co-authored-by: Copilot Autofix powered by AI <[email protected]>
shyamnamboodiripad
approved these changes
Mar 18, 2026
Contributor
shyamnamboodiripad
left a comment
shyamnamboodiripad
left a comment
There was a problem hiding this comment.
LGTM modulo comments and edge cases
…arp/Utilities/PathValidation.cs Co-authored-by: Shyam N <[email protected]>
…arp/Utilities/PathValidation.cs Co-authored-by: Shyam N <[email protected]>
…ET Framework and add tests for UNC paths and edge cases
jozkee
pushed a commit
to jozkee/extensions
that referenced
this pull request
Apr 3, 2026
…re (dotnet#7397) * Add Path Validation for DiskBasedResponseCache and DiskBasedResultStore * Refactor async test methods in PathValidationTests to use Task instead of void * Update error message 'value' to 'parameter' Co-authored-by: Copilot Autofix powered by AI <[email protected]> * Fix separator tests on Mac/Linux * Update src/Libraries/Microsoft.Extensions.AI.Evaluation.Reporting/CSharp/Utilities/PathValidation.cs Co-authored-by: Shyam N <[email protected]> * Update src/Libraries/Microsoft.Extensions.AI.Evaluation.Reporting/CSharp/Utilities/PathValidation.cs Co-authored-by: Shyam N <[email protected]> * Improve root path check. * Enhance EnsureWithinRoot method to handle directory separators for .NET Framework and add tests for UNC paths and edge cases * Fix net standard builds * Retrigger build --------- Co-authored-by: Copilot Autofix powered by AI <[email protected]> Co-authored-by: Shyam N <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Microsoft Reviewers: Open in CodeFlow