akanealw/Charon
1
0
Fork 0
Code Issues Pull Requests Actions 5 Packages Projects Releases Wiki Activity

chore: Implement CodeQL CI Alignment and Security Scanning

Browse Source 
- Added comprehensive QA report for CodeQL CI alignment implementation, detailing tests, results, and findings.
- Created CodeQL security scanning guide in documentation, outlining usage and common issues.
- Developed pre-commit hooks for CodeQL scans and findings checks, ensuring security issues are identified before commits.
- Implemented scripts for running CodeQL Go and JavaScript scans, aligned with CI configurations.
- Verified all tests passed, including backend and frontend coverage, TypeScript checks, and SARIF file generation.
This commit is contained in:
GitHub Actions
2025-12-24 14:35:33 +00:00
parent 369182f460
commit 70bd60dbce
23 changed files with 6049 additions and 652 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
backend/internal/api/handlers/crowdsec_handler.go
View File

@@ -708,19 +708,25 @@ func (h *CrowdsecHandler) PullPreset(c *gin.Context) {
res, err := h.Hub.Pull(ctx, slug)
if err != nil {
status := mapCrowdsecStatus(err, http.StatusBadGateway)
// codeql[go/log-injection] Safe: User input sanitized via util.SanitizeForLog()
// which removes control characters (0x00-0x1F, 0x7F) including CRLF
logger.Log().WithError(err).WithField("slug", util.SanitizeForLog(slug)).WithField("hub_base_url", h.Hub.HubBaseURL).Warn("crowdsec preset pull failed")
c.JSON(status, gin.H{"error": err.Error(), "hub_endpoints": h.hubEndpoints()})
return
}
// Verify cache was actually stored
// codeql[go/log-injection] Safe: res.Meta fields are system-generated (cache keys, file paths)
// not directly derived from untrusted user input
logger.Log().WithField("slug", res.Meta.Slug).WithField("cache_key", res.Meta.CacheKey).WithField("archive_path", res.Meta.ArchivePath).WithField("preview_path", res.Meta.PreviewPath).Info("preset pulled and cached successfully")
// Verify files exist on disk
if _, err := os.Stat(res.Meta.ArchivePath); err != nil {
// codeql[go/log-injection] Safe: archive_path is system-generated file path
logger.Log().WithError(err).WithField("archive_path", res.Meta.ArchivePath).Error("cached archive file not found after pull")
}
if _, err := os.Stat(res.Meta.PreviewPath); err != nil {
// codeql[go/log-injection] Safe: preview_path is system-generated file path
logger.Log().WithError(err).WithField("preview_path", res.Meta.PreviewPath).Error("cached preview file not found after pull")
}
@@ -816,6 +822,8 @@ func (h *CrowdsecHandler) ApplyPreset(c *gin.Context) {
res, err := h.Hub.Apply(ctx, slug)
if err != nil {
status := mapCrowdsecStatus(err, http.StatusInternalServerError)
// codeql[go/log-injection] Safe: User input (slug) sanitized via util.SanitizeForLog();
// backup_path and cache_key are system-generated values
logger.Log().WithError(err).WithField("slug", util.SanitizeForLog(slug)).WithField("hub_base_url", h.Hub.HubBaseURL).WithField("backup_path", res.BackupPath).WithField("cache_key", res.CacheKey).Warn("crowdsec preset apply failed")
if h.DB != nil {
_ = h.DB.Create(&models.CrowdsecPresetEvent{Slug: slug, Action: "apply", Status: "failed", CacheKey: res.CacheKey, BackupPath: res.BackupPath, Error: err.Error()}).Error