From 31ea0b3b6ac9ac448d4dc686e9b813587227a923 Mon Sep 17 00:00:00 2001 From: John Samuel Date: Tue, 7 Apr 2026 11:40:05 +0200 Subject: [PATCH] Potential fix for code scanning alert no. 5: Uncontrolled data used in path expression Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- shexstatements/shexfromspreadsheet.py | 49 +++++++++++++++++++-------- 1 file changed, 35 insertions(+), 14 deletions(-) diff --git a/shexstatements/shexfromspreadsheet.py b/shexstatements/shexfromspreadsheet.py index cf3cd63..9562ab6 100644 --- a/shexstatements/shexfromspreadsheet.py +++ b/shexstatements/shexfromspreadsheet.py @@ -6,6 +6,7 @@ from os import remove from os.path import splitext +import tempfile from odf.opendocument import load from odf.table import TableCell, TableRow @@ -46,13 +47,23 @@ def generate_shex_from_spreadsheet(filepath, skip_header=False, stream=None): if(file_extension in {".xlsx", ".xlsm", ".xltx", ".xltm"}): wb = None + temp_path = None if stream is not None: - with open("tmp" + filepath, "wb") as sf: - sf.write(stream) - sf.close() - filepath = "tmp" + filepath + fd, temp_path = tempfile.mkstemp(suffix=file_extension) + try: + with open(fd, "wb") as sf: + sf.write(stream) + except TypeError: + # Fallback for environments where opening by fd is not supported + import os + os.close(fd) + with open(temp_path, "wb") as sf: + sf.write(stream) + filepath_to_open = temp_path + else: + filepath_to_open = filepath - wb = load_workbook(filepath) + wb = load_workbook(filepath_to_open) for ws in wb.worksheets: for i in range(1, ws.max_row+1): line = list() @@ -63,8 +74,8 @@ def generate_shex_from_spreadsheet(filepath, skip_header=False, stream=None): line = "|".join(line) data = data + line + "\n" - if stream is not None: - remove(filepath) + if stream is not None and temp_path is not None: + remove(temp_path) elif(file_extension in {".xls"}): wb = None @@ -84,13 +95,23 @@ def generate_shex_from_spreadsheet(filepath, skip_header=False, stream=None): elif(file_extension in {".ods"}): wb = None + temp_path = None if stream is not None: - with open("tmp" + filepath, "wb") as sf: - sf.write(stream) - sf.close() - filepath = "tmp" + filepath + fd, temp_path = tempfile.mkstemp(suffix=file_extension) + try: + with open(fd, "wb") as sf: + sf.write(stream) + except TypeError: + # Fallback for environments where opening by fd is not supported + import os + os.close(fd) + with open(temp_path, "wb") as sf: + sf.write(stream) + filepath_to_open = temp_path + else: + filepath_to_open = filepath - wb = load(filepath) + wb = load(filepath_to_open) wb = wb.spreadsheet rows = wb.getElementsByType(TableRow) for row in rows: @@ -101,8 +122,8 @@ def generate_shex_from_spreadsheet(filepath, skip_header=False, stream=None): line.append(str(cell)) data = data+"|".join(line) + "\n" - if stream is not None: - remove(filepath) + if stream is not None and temp_path is not None: + remove(temp_path) shexstatement = CSV.generate_shex_from_data_string(data) except Exception as e: