Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Resolve CodeQL issues #2884

Open
1 task
nitrocode opened this issue Dec 27, 2022 · 0 comments
Open
1 task

Resolve CodeQL issues #2884

nitrocode opened this issue Dec 27, 2022 · 0 comments
Assignees
@GenPage
Labels
feature New functionality/enhancement never-stale security
Milestone
v1.0.0

Comments

@nitrocode
Copy link
Member

nitrocode commented Dec 27, 2022
edited
Loading

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request. Searching for pre-existing feature requests helps us consolidate datapoints for identical requirements into a single place, thank you!
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment.

Describe the user story

There are many issues that came up from gosec which were ignored in the code without a comment. I proposed CodeQL in a recent PR and it found some issues that I believe still impact this project today.

https://github.com/runatlantis/atlantis/security/code-scanning?query=pr%3A2879+tool%3ACodeQL+is%3Aopen

Describe the solution you'd like

Lets go over each vulnerability, dismiss or acknowledge it, and either fix it or create an issue to fix it for the next release.

Critical

High

  • (9) Log entries created from user input
    • Some of these are bitbucket related (resolved by using a bitbucket library)
    • Some of these are azure devops related (resolved by using the already installed azure devops library)
    • Some are due to not sanitizing inputs from the API /locks?id endpoint
  • (1) Arbitrary file write during zip extraction ("zip slip")
    • Seems easy enough to address by checking for ..
  • (8) Uncontrolled data used in path expression

Medium

  • (3) Reflected cross-site scripting

For now, investigating each // nolint:gosec comment can be left for a future ticket. The work for that ticket would be reduced by this ticket.

Describe the drawbacks of your solution

None

Describe alternatives you've considered

None
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@GenPage GenPage

Labels
feature New functionality/enhancement never-stale security
Projects
None yet
Milestone
v1.0.0
Development

No branches or pull requests
2 participants
@GenPage @nitrocode