Delete bundled db before recreating

Author: robertbrignull

lib/database-upload.js

@@ -57,7 +57,10 @@ export async function uploadDatabases(
 
   const codeql = await getCodeQL(config.codeQLCmd);
   for (const language of config.languages) {
-    // Upload the database bundle
+    // Upload the database bundle.
+    // Although we are uploading arbitrary file contents to the API, it's worth
+    // noting that it's the API's job to validate that the contents is acceptable.
+    // This API method is available to anyone with write access to the repo.
     const payload = fs.readFileSync(await bundleDb(config, language, codeql));
     try {
       if (useUploadDomain) {

lib/database-upload.js.map

@@ -559,9 +559,15 @@ export async function bundleDb(
     config.dbLocation,
     `${databasePath}.zip`
   );
-  if (!fs.existsSync(databaseBundlePath)) {
-    await codeql.databaseBundle(databasePath, databaseBundlePath);
-  }
+  // For a tiny bit of added safety, delete the file if it exists.
+  // The file is probably from an earlier call to this function, either
+  // as part of this action step or a previous one, but it could also be
+  // from somewhere else or someone trying to make the action upload a
+  // non-database file.
+  if (fs.existsSync(databaseBundlePath)) {
+    fs.rmSync(databaseBundlePath, { recursive: true });
+  }
+  await codeql.databaseBundle(databasePath, databaseBundlePath);
   return databaseBundlePath;
 }