akanealw/Charon
1
0
Fork 0
Code Issues Pull Requests Actions 16 Packages Projects Releases Wiki Activity
Files
aae55a8ae9f853d37e8ee7aafcfd5c9823c87818
Charon/.github/codeql/codeql-config.yml

48 lines
2.0 KiB
YAML
Raw Blame History

# CodeQL Configuration File
# See: https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning
name: "Charon CodeQL Config"
# Query filters to exclude specific alerts with documented justification
query-filters:
# ===========================================================================
# SSRF False Positive Exclusion
# ===========================================================================
# File: backend/internal/utils/url_testing.go (line 276)
# Rule: go/request-forgery
#
# JUSTIFICATION: This file implements comprehensive 4-layer SSRF protection:
#
# Layer 1: Format Validation (utils.ValidateURL)
# - Validates URL scheme (http/https only)
# - Parses and validates URL structure
#
# Layer 2: Security Validation (security.ValidateExternalURL)
# - Performs DNS resolution with timeout
# - Blocks 13+ private/reserved IP CIDR ranges:
# * RFC 1918: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
# * Loopback: 127.0.0.0/8, ::1/128
# * Link-Local: 169.254.0.0/16 (AWS/GCP/Azure metadata), fe80::/10
# * Reserved: 0.0.0.0/8, 240.0.0.0/4, 255.255.255.255/32
# * IPv6 ULA: fc00::/7
#
# Layer 3: Connection-Time Validation (ssrfSafeDialer)
# - Re-resolves DNS at connection time (prevents DNS rebinding)
# - Re-validates all resolved IPs against blocklist
# - Blocks requests if any IP is private/reserved
#
# Layer 4: Request Execution (TestURLConnectivity)
# - HEAD request only (minimal data exposure)
# - 5-second timeout
# - Max 2 redirects with redirect target validation
#
# Security Review: Approved - defense-in-depth prevents SSRF attacks
# Last Review Date: 2026-01-01
# ===========================================================================
- exclude:
id: go/request-forgery
# Paths to ignore from all analysis (use sparingly - prefer query-filters)
# paths-ignore:
# - "**/vendor/**"
# - "**/testdata/**"
Reference in New Issue View Git Blame Copy Permalink