fix: authentication issues for certificate endpoints and improve test coverage

- Updated UsersPage tests to check for specific URL formats instead of regex patterns. - Increased timeout for Go coverage report generation to handle larger repositories. - Cleaned up generated artifacts before running CodeQL analysis to reduce false positives. - Removed outdated QA testing report for authentication fixes on the certificates page. - Added final report confirming successful resolution of authentication issues with certificate endpoints. - Deleted previous test output files to maintain a clean test results directory.
2026-01-03 03:08:43 +00:00
parent 8f15fdd97f
commit 3aaa059a15
41 changed files with 3019 additions and 2298 deletions
--- a/.github/codeql/codeql-config.yml
+++ b/.github/codeql/codeql-config.yml
@@ -2,46 +2,10 @@
 # See: https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning
 name: "Charon CodeQL Config"

-# Query filters to exclude specific alerts with documented justification
-query-filters:
-  # ===========================================================================
-  # SSRF False Positive Exclusion
-  # ===========================================================================
-  # File: backend/internal/utils/url_testing.go (line 276)
-  # Rule: go/request-forgery
-  #
-  # JUSTIFICATION: This file implements comprehensive 4-layer SSRF protection:
-  #
-  # Layer 1: Format Validation (utils.ValidateURL)
-  #   - Validates URL scheme (http/https only)
-  #   - Parses and validates URL structure
-  #
-  # Layer 2: Security Validation (security.ValidateExternalURL)
-  #   - Performs DNS resolution with timeout
-  #   - Blocks 13+ private/reserved IP CIDR ranges:
-  #     * RFC 1918: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
-  #     * Loopback: 127.0.0.0/8, ::1/128
-  #     * Link-Local: 169.254.0.0/16 (AWS/GCP/Azure metadata), fe80::/10
-  #     * Reserved: 0.0.0.0/8, 240.0.0.0/4, 255.255.255.255/32
-  #     * IPv6 ULA: fc00::/7
-  #
-  # Layer 3: Connection-Time Validation (ssrfSafeDialer)
-  #   - Re-resolves DNS at connection time (prevents DNS rebinding)
-  #   - Re-validates all resolved IPs against blocklist
-  #   - Blocks requests if any IP is private/reserved
-  #
-  # Layer 4: Request Execution (TestURLConnectivity)
-  #   - HEAD request only (minimal data exposure)
-  #   - 5-second timeout
-  #   - Max 2 redirects with redirect target validation
-  #
-  # Security Review: Approved - defense-in-depth prevents SSRF attacks
-  # Last Review Date: 2026-01-01
-  # ===========================================================================
-  - exclude:
-      id: go/request-forgery
-
 # Paths to ignore from all analysis (use sparingly - prefer query-filters)
-# paths-ignore:
-#   - "**/vendor/**"
-#   - "**/testdata/**"
+paths-ignore:
+  - "frontend/coverage/**"
+  - "frontend/dist/**"
+  - "playwright-report/**"
+  - "test-results/**"
+  - "coverage/**"