Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Codeql security fixes #2169

Merged
merged 3 commits into from
Nov 28, 2024
Merged

Codeql security fixes #2169

merged 3 commits into from
Nov 28, 2024

Conversation

stevenhorsman
Copy link
Member

Fix the 5 CodeQL security alerts we currently have

@stevenhorsman
libvirt: Fix security bug with conversion
b80dcf2 
Incorrect conversion of an unsigned 64-bit integer from  to a lower bit size type uint32 without an upper bound check.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
@stevenhorsman
securecomms: Fix reflected XSS issue
eba1d12 
I think this is low risk as it's in test code, but CodeQL throw the warning:
> Directly writing user input (for example, an HTTP request parameter) to
> an HTTP response without properly sanitizing the input first, allows for
> a cross-site scripting vulnerability.

so we might as well try and fix it.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
@stevenhorsman
test/e2e: ibmcloud: Security alert
20b5076 
CodeQL is throwing up a high severity error:
> Sensitive information that is logged unencrypted is
> accessible to an attacker who gains access to the logs.

Longer term we might want to log selective fields, or
provider a way to just hide the sensitive fields, but for now
I've just removed the debug logs that expose things like API Keys

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
@stevenhorsman stevenhorsman added the test_e2e_libvirt Run Libvirt e2e tests label Nov 27, 2024
@stevenhorsman stevenhorsman requested a review from a team as a code owner November 27, 2024 17:14
wainersm
wainersm approved these changes Nov 28, 2024
View reviewed changes
Copy link
Member

@wainersm wainersm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks Steve!

@wainersm wainersm merged commit ac6e23f into confidential-containers:main Nov 28, 2024
30 of 32 checks passed
@stevenhorsman stevenhorsman deleted the codeql-security-fixes-nov-2024 branch November 28, 2024 12:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wainersm wainersm wainersm approved these changes

@mkulke mkulke mkulke approved these changes

Assignees
No one assigned
Labels
test_e2e_libvirt Run Libvirt e2e tests
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@stevenhorsman @mkulke @wainersm