Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

LGTM deprecation: miscellaneous changes #11433

Open
wants to merge 8 commits into
base: main
Choose a base branch
from

Conversation

felicitymay
Copy link
Contributor

@felicitymay felicitymay commented Nov 25, 2022

The changes in this pull request replace references to LGTM in the following locations:

If your team has been pinged, please can you take a look and check that the substitutions that I've made are appropriate. Feedback very welcome.

@github-actions
Copy link
Contributor

github-actions bot commented Nov 25, 2022

QHelp previews:

go/ql/src/Security/CWE-601/BadRedirectCheck.qhelp

Bad redirect check

Redirect URLs should be checked to ensure that user input cannot cause a site to redirect to arbitrary domains. This is often done with a check that the redirect URL begins with a slash, which most of the time is an absolute redirect on the same host. However, browsers interpret URLs beginning with // or /\ as absolute URLs. For example, a redirect to //example.com will redirect to https://example.com. Thus, redirect checks must also check the second character of redirect URLs.

Recommendation

Also disallow redirect URLs starting with // or /\.

Example

The following function validates a (presumably untrusted) redirect URL redir. If it does not begin with /, the harmless placeholder redirect URL / is returned to prevent an open redirect; otherwise redir itself is returned.

0 && redir[0] == '/' { return redir } return "/" } ">
package main

func sanitizeUrl(redir string) string {
	if len(redir) > 0 && redir[0] == '/' {
		return redir
	}
	return "/"
}

While this check provides partial protection, it should be extended to cover // and /\ as well:

package main

func sanitizeUrl1(redir string) string {
	if len(redir) > 1 && redir[0] == '/' && redir[1] != '/' && redir[1] != '\\' {
		return redir
	}
	return "/"
}

References

python/ql/src/Imports/SyntaxError.qhelp

Syntax error

Syntax errors prevent a module being evaluated and thus imported. An attempt to import a module with invalid syntax will fail; a SyntaxError will be raised.

A common cause of syntax errors is the difference in syntax between Python 2 and Python 3. In particular, a syntax error may be alerted if a Python 3 file is assumed to be compatible with Python 2 (or vice versa). Explicitly specifying the expected Python version can help prevent this.

The existence of a syntax error in a module may suggest other problems as well. Either the module is never imported in practice and could be deleted or a try statement around the import is mistakenly discarding the SyntaxError.

Recommendation

Fixing the syntax error is the obvious fix. However, it is worth investigating why a module containing a syntax error was able to persist and address that problem as well.

If you suspect that the syntax error is caused by the analysis using the wrong version of Python, consider specifying the version explicitly. When you run code scanning using the CodeQL action, you can configure the Python version to use. For more information, see Analyzing Python dependencies.

References

@felicitymay felicitymay added the no-change-note-required This PR does not need a change note label Nov 25, 2022
@felicitymay
Copy link
Contributor Author

felicitymay commented Nov 25, 2022

It looks as if I need to run a formatter over the query files (and maybe the QLL files). Can someone help?

Copy link
Contributor

@owen-mc owen-mc left a comment

Go 👍🏻

tausbn
tausbn previously approved these changes Nov 25, 2022
Copy link
Contributor

@tausbn tausbn left a comment

Python 👍
(Though we'll probably want to revisit this advice about setting the version at a later date, since it should soon be the case that the Python version has no effect on things like syntax errors.)

Co-authored-by: Taus <tausbn@github.com>
Copy link
Contributor

@MathiasVP MathiasVP left a comment

C/C++ 👍

@tausbn
Copy link
Contributor

tausbn commented Nov 25, 2022

It looks as if I need to run a formatter over the query files (and maybe the QLL files). Can someone help?

In case you ever need to invoke the formatter in the future, the relevant command is

codeql query format -i

(-i for "in-place", which is probably the most useful for this situation) followed by the path to the file that needs to be formatted.

If you don't have the CodeQL CLI installed locally, the easiest way to install it is probably to do so via the gh utility. This can be done by writing

gh extension install github/gh-codeql

(and then using gh codeql in place of just codeql in the aformentioned command).

Alternatively, you can format the file using the VSCode CodeQL extension. 🙂

tausbn
tausbn approved these changes Nov 25, 2022
@@ -9,6 +9,5 @@ assignees: ''

**Description of the issue**

<!-- Please explain briefly what is the problem.
If it is about an LGTM project, please include its URL.-->
Copy link
Contributor

@aeisenberg aeisenberg Nov 25, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it useful to keep something like this in, but change LGTM -> GitHub?

Copy link
Contributor Author

@felicitymay felicitymay Nov 25, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I couldn't make the suggestion here, so have put the revised comment back in a different comment.

@@ -9,6 +9,5 @@ assignees: ''

**Description of the issue**

<!-- Please explain briefly what is the problem.
If it is about an LGTM project, please include its URL.-->
<!-- Please explain briefly what is the problem.-->
Copy link
Contributor Author

@felicitymay felicitymay Nov 25, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
<!-- Please explain briefly what is the problem.-->
<!-- Please explain briefly what is the problem.
If it is about a GitHub project, please include its URL. -->

Copy link
Contributor Author

@felicitymay felicitymay Nov 25, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggestion in response to @aeisenberg's comment on the line below.

Copy link
Contributor

@aeisenberg aeisenberg left a comment

from codeql-experiences team.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

6 participants