fix: zera os alertas de code scanning (CodeQL + Semgrep)#29
Merged
Conversation
Os serviços MySQL/MariaDB da CI deixam de subir com senha vazia (CodeQL high js/empty-password-in-configuration-file): root ganha a senha de teste 'root' nos services, nas strings de conexão e no health-check do mysqladmin. Os 10 achados do Semgrep eram falsos positivos verificados um a um: file_get_contents de arquivos locais (meta de upload, manifest, composer.lock e estado de job) sem nenhuma URL de input, o resolver de destino do import que REJEITA '..' e ainda confina o caminho com realpath logo abaixo, e código de harness de teste que monta o Capsule de propósito. Cada ponto ganhou supressão nosemgrep pontual com a justificativa na própria linha; a varredura local fecha em zero.
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| { | ||
| $name = ltrim($name, '/'); | ||
| if (str_contains($name, '..') || str_contains($name, "\0") || str_contains($name, '\\')) { | ||
| if (str_contains($name, '..') || str_contains($name, "\0") || str_contains($name, '\\')) { /* rejeita (não remove) e o destino ainda passa pela contenção com realpath abaixo; nosemgrep: flarum-v2-path-traversal-naive-filter */ |
| $path = $dir.DIRECTORY_SEPARATOR.'upload.meta.json'; | ||
| if (! is_file($path)) return []; | ||
| $raw = @file_get_contents($path); | ||
| $raw = @file_get_contents($path); /* leitura de arquivo local, sem URL de input; nosemgrep: flarum-v2-server-side-fetch */ |
| $path = $dir.DIRECTORY_SEPARATOR.'upload.meta.json'; | ||
| if (! is_file($path)) return []; | ||
| $raw = @file_get_contents($path); | ||
| $raw = @file_get_contents($path); /* leitura de arquivo local, sem URL de input; nosemgrep: flarum-v2-server-side-fetch */ |
| private function loadManifest(string $path): array | ||
| { | ||
| $raw = @file_get_contents($path); | ||
| $raw = @file_get_contents($path); /* leitura de arquivo local, sem URL de input; nosemgrep: flarum-v2-server-side-fetch */ |
| $composer = $this->appPaths->base.DIRECTORY_SEPARATOR.'composer.lock'; | ||
| if (is_file($composer)) { | ||
| $data = json_decode((string) file_get_contents($composer), true); | ||
| $data = json_decode((string) file_get_contents($composer), true); /* leitura de arquivo local, sem URL de input; nosemgrep: flarum-v2-server-side-fetch */ |
| throw new RuntimeException('Job state file not found: '.$file); | ||
| } | ||
| $raw = @file_get_contents($file); | ||
| $raw = @file_get_contents($file); /* leitura de arquivo local, sem URL de input; nosemgrep: flarum-v2-server-side-fetch */ |
| use Flarum\Foundation\Paths; | ||
| use Illuminate\Container\Container; | ||
| use Illuminate\Database\Capsule\Manager as Capsule; | ||
| use Illuminate\Database\Capsule\Manager as Capsule; /* harness de teste standalone, sem boot do Flarum; nosemgrep: flarum-v2-capsule-manager */ |
| $this->assertStringNotContainsString( | ||
| $privateKey, | ||
| (string) file_get_contents($jobStateFile), | ||
| (string) file_get_contents($jobStateFile), /* arquivo local do próprio teste; nosemgrep: flarum-v2-server-side-fetch */ |
| $this->assertStringNotContainsString( | ||
| $privateKey, | ||
| (string) file_get_contents($jobStateFile), | ||
| (string) file_get_contents($jobStateFile), /* arquivo local do próprio teste; nosemgrep: flarum-v2-server-side-fetch */ |
|
|
||
| use Illuminate\Container\Container; | ||
| use Illuminate\Database\Capsule\Manager as Capsule; | ||
| use Illuminate\Database\Capsule\Manager as Capsule; /* harness de teste standalone, sem boot do Flarum; nosemgrep: flarum-v2-capsule-manager */ |
ram0ng1
added
seguranca
Claude
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
O que muda
Zera os 12 alertas abertos de Code scanning do repositório.
CodeQL high ×2 (
js/empty-password-in-configuration-file, ci.yml:93 e :134) — correção real: os serviços MySQL/MariaDB da CI subiam com senha vazia (*_ALLOW_EMPTY_PASSWORD). Agora usam a senha de testerootnos services, nas strings de conexãoBACKUP_TEST_*(inclusive no job all-directions) e no health-check domysqladmin.Semgrep ×10 — todos verificados um a um e são falsos positivos; cada linha ganhou supressão
nosemgreppontual com a justificativa inline:flarum-v2-server-side-fetch×6:file_get_contentsde arquivos locais (upload.meta.json, manifest NDJSON, composer.lock, job.json e o arquivo de estado do próprio teste E2E). Nenhuma URL, nenhum input de usuário no caminho.flarum-v2-path-traversal-naive-filter(ImportJob:774): o resolver rejeita nomes com../NUL/backslash (não faz o strip ingênuo que a regra mira) e, vinte linhas abaixo, ainda canonicaliza o pai comrealpath()e re-checa o prefixo do root permitido, exatamente o que a mensagem da regra pede.flarum-v2-capsule-manager×2: harness de teste standalone que monta o Capsule de propósito (não há Flarum bootado em testes unitários).Verificação
php -lem todos os arquivos tocados esemgreplocal com as regras Flarum-v2: 0 achados após o PR. Com o merge, o push em main re-roda os scanners e os alertas fecham sozinhos na aba Security.Generated by Claude Code