github
diff --git a/‎lib/config-utils.js‎
Lines changed: 20 additions & 2 deletions b/‎lib/config-utils.js‎
Lines changed: 20 additions & 2 deletions
diff --git a/‎lib/config-utils.js.map‎
Lines changed: 1 addition & 1 deletion b/‎lib/config-utils.js.map‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎lib/config-utils.test.js‎
Lines changed: 37 additions & 0 deletions b/‎lib/config-utils.test.js‎
Lines changed: 37 additions & 0 deletions
diff --git a/‎lib/config-utils.test.js.map‎
Lines changed: 1 addition & 1 deletion b/‎lib/config-utils.test.js.map‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/config-utils.test.ts‎
Lines changed: 46 additions & 0 deletions b/‎src/config-utils.test.ts‎
Lines changed: 46 additions & 0 deletions
diff --git a/‎src/config-utils.ts‎
Lines changed: 24 additions & 2 deletions b/‎src/config-utils.ts‎
Lines changed: 24 additions & 2 deletions
@@ -343,3 +343,49 @@ doInvalidQueryUsesTest(
 doInvalidQueryUsesTest(
   "./..",
   c => configUtils.getLocalPathOutsideOfRepository(c, ".."));
+
+const validPaths = [
+  'foo',
+  'foo/',
+  'foo/**',
+  'foo/**/',
+  'foo/**/**',
+  'foo/**/bar/**/baz',
+  '**/',
+  '**/foo',
+  '/foo',
+];
+const invalidPaths = [
+  'a/***/b',
+  'a/**b',
+  'a/b**',
+  '**',
+];
+test('path validations', t => {
+  // Dummy values to pass to validateAndSanitisePath
+  const propertyName = 'paths';
+  const configFile = './.github/codeql/config.yml';
+
+  for (const path of validPaths) {
+    t.truthy(configUtils.validateAndSanitisePath(path, propertyName, configFile));
+  }
+  for (const path of invalidPaths) {
+    t.throws(() => configUtils.validateAndSanitisePath(path, propertyName, configFile));
+  }
+});
+
+test('path sanitisation', t => {
+  // Dummy values to pass to validateAndSanitisePath
+  const propertyName = 'paths';
+  const configFile = './.github/codeql/config.yml';
+
+  // Valid paths are not modified
+  t.deepEqual(
+    configUtils.validateAndSanitisePath('foo/bar', propertyName, configFile),
+    'foo/bar');
+
+  // Trailing stars are stripped
+  t.deepEqual(
+    configUtils.validateAndSanitisePath('foo/**', propertyName, configFile),
+    'foo/');
+});
@@ -113,6 +113,28 @@ export class Config {
   }
 }
 
+// Regex validating stars in paths or paths-ignore entries.
+// The intention is to only allow ** to appear when immediately
+// preceded and followed by a slash.
+const pathStarsRegex = /.*(?:\*\*[^/].*|\*\*$|[^/]\*\*.*)/;
+
+// Checks that a paths of paths-ignore entry is valid, possibly modifying it
+// to make it valid, or if not possible then throws an error.
+export function validateAndSanitisePath(originalPath: string, propertyName: string, configFile: string): string {
+  let path = originalPath;
+  if (path.endsWith('/**')) {
+    path = path.substring(0, path.length - 2);
+  }
+  if (path.match(pathStarsRegex)) {
+    throw new Error(getConfigFilePropertyError(
+      configFile,
+      propertyName,
+      '"' + originalPath + '" contains an invalid "**" wildcard. ' +
+        'They must be immediately preceeded and followed by a slash as in "/**/".'));
+  }
+  return path;
+}
+
 export function getNameInvalid(configFile: string): string {
   return getConfigFilePropertyError(configFile, NAME_PROPERTY, 'must be a non-empty string');
 }
@@ -243,7 +265,7 @@ async function initConfig(): Promise<Config> {
       if (typeof path !== "string" || path === '') {
         throw new Error(getPathsIgnoreInvalid(configFile));
       }
-      config.pathsIgnore.push(path);
+      config.pathsIgnore.push(validateAndSanitisePath(path, PATHS_IGNORE_PROPERTY, configFile));
     });
   }
 
@@ -255,7 +277,7 @@ async function initConfig(): Promise<Config> {
       if (typeof path !== "string" || path === '') {
         throw new Error(getPathsInvalid(configFile));
       }
-      config.paths.push(path);
+      config.paths.push(validateAndSanitisePath(path, PATHS_PROPERTY, configFile));
     });
   }