Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CodeQL fixes #102

Merged
merged 10 commits into from
Sep 13, 2021
Merged

CodeQL fixes #102

merged 10 commits into from
Sep 13, 2021

Conversation

mbien
Copy link
Member

@mbien mbien commented Aug 27, 2021
edited
Loading

This PR closes some (~14) CodeQL alerts.

Most of them could be fixed by restructuring the code a little.

75ba795 changes the config so that JS alerts don't show up three times.

I am thinking about closing two additional alerts manually:

bonus:
96810ea is a unrelated fix, 188e201 sets JS produced cookies to https and "SameSite" by default

@mbien
RememberMeService should use a better hash function.
bf2652f
@mbien
Context URL validation.
e6160c3
@mbien
TagDataServlet: Escape URIs for XML output to make CodeQL happy.
0a18cc9 
This is technically not needed, but CodeQL thinks those variables are client provided Strings,
since one code path leads to the InitFilter. We do it anyway to fix 3 alerts + its trivial.
@mbien
FileContentManagerImpl: Validate Path before creating a File.
8ea6e9d 
CodeQL doesn't understand validation which is happening *after* Files or Paths are created.
Rewriting the method a little bit solves that + its now using Path instead of File.
@mbien
FileContentManagerImpl: Validate filename in saveFileContent() + use …
b438911 
…stream transferTo() shortcut.
@mbien
FolderEdit: HTTP response splitting defense.
ea8abe1
@mbien
WeblogRequestMapper: Use already validated weblog handle for redirect…
b443ee4 
… logic.
@mbien
close the right stream (getter would return a new stream).
96810ea
@mbien
set cookie "secure" and "SameSite" flags by default.
188e201
@mbien
CodeQL: don't scan JS files three times.
75ba795 
this requires unfortunately another config file since path settings
can't be set in the workflow config.
see github/codeql-action#283
@mbien mbien marked this pull request as ready for review August 29, 2021 05:28
snoopdave
snoopdave approved these changes Sep 11, 2021
View reviewed changes
Copy link
Contributor

@snoopdave snoopdave left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some very nice simplifications and fixes in here!

@mbien mbien merged commit 440ef70 into apache:master Sep 13, 2021
@mbien
Copy link
Member Author

mbien commented Sep 13, 2021

@snoopdave thanks for taking a look. As mentioned in the PR I just manually closed the two additional CodeQL alerts.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@snoopdave snoopdave snoopdave approved these changes

@adityasharma7 adityasharma7 Awaiting requested review from adityasharma7

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@mbien @snoopdave