Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ER: CodeQL did not raise alerts on each instance of "Potentially unsafe external link" #6485

Open
1 of 5 tasks
roslynwythe opened this issue Mar 20, 2024 · 3 comments
Open
1 of 5 tasks

ER: CodeQL did not raise alerts on each instance of "Potentially unsafe external link" #6485

roslynwythe opened this issue Mar 20, 2024 · 3 comments
Labels
Complexity: See issue making label See the Issue Making label to understand the issue writing difficulty level Dependency An issue is blocking the completion or starting of another issue ER Emergent Request Feature: Code Alerts manual dependency release role: back end/devOps Tasks for back-end developers size: 0.25pt Can be done in 0.5 to 1.5 hours
Milestone
02. Security

Comments

@roslynwythe
Copy link
Member

roslynwythe commented Mar 20, 2024
edited
Loading

Dependencies

The issue could be resolved with:

Emergent Requirement - Problem

  • The file _includes/current_guides.html contained two instances of "Potentially unsafe external links" but only one CodeQL alert was raised.
  • The file _includes/about-page/about-card-sponsors contained four instance of ""Potentially unsafe external links" but only one CodeQL alert was raised

Details

Regarding _includes/current_guides.html:

Issue you discovered this emergent requirement in

Date discovered

3/4/2024

Did you have to do something temporarily

Who was involved

@djbradleyii

What happens if this is not addressed

code security/quality issues may be missed

Resources

Recommended Action Items

  • Make a new issue
  • Discuss with team
  • Let a Team Lead know

Potential solutions [draft]

  • We are aware that CodeQL runs into errors scanning Javascript code files with liquid statements. In both files in which CodeQL failed to report errors, liquid code was found. Therefore I suggest putting this ER on hold, with a dependency on update project profile food oasis reorder leadership member #6387
  • Search/audit the codebase for any other instances of "Potentially unsafe external link" that are not detected by CodeQL
  • resarch to determine possible reasons why CodeQL did not create an alert for this instance of "Potentially unsafe external link"
@roslynwythe roslynwythe added Feature Missing This label means that the issue needs to be linked to a precise feature label. size: 0.25pt Can be done in 0.5 to 1.5 hours ER Emergent Request role missing Complexity: Missing labels Mar 20, 2024
@github-actions GitHub Actions

This comment was marked as outdated.

Sign in to view
@roslynwythe roslynwythe changed the title ER: [replace with info ] ER: CodeQL did not raise alerts on each instance of "Potentially unsafe external link" Mar 20, 2024
@roslynwythe roslynwythe added Complexity: See issue making label See the Issue Making label to understand the issue writing difficulty level Feature: Code Alerts role: back end/devOps Tasks for back-end developers and removed Feature Missing This label means that the issue needs to be linked to a precise feature label. role missing Complexity: Missing labels Mar 20, 2024
This was referenced Mar 20, 2024
Closed
Closed
@ExperimentsInHonesty ExperimentsInHonesty added this to the 02. Security milestone Mar 26, 2024
@ExperimentsInHonesty ExperimentsInHonesty added the Draft Issue is still in the process of being created label Mar 26, 2024
@github-actions GitHub Actions
Copy link

Hi @roslynwythe, thank you for taking up this issue! Hfla appreciates you :)

Do let fellow developers know about your:-
i. Availability: (When are you available to work on the issue/answer questions other programmers might have about your issue?)
ii. ETA: (When do you expect this issue to be completed?)

You're awesome!

P.S. - You may not take up another issue until this issue gets merged (or closed). Thanks again :)

@roslynwythe roslynwythe mentioned this issue Mar 27, 2024
Open
5 tasks
@gaylem gaylem mentioned this issue Apr 5, 2024
Open
5 tasks
@elliot-d-kim
Copy link
Member

elliot-d-kim commented Apr 25, 2024
edited
Loading

During my testing in #5234, the issues downstream of the top-most YAML or Liquid lines would not generate CodeQL alerts. As noted in that issue:

Remove only the empty YAML front-matter: CodeQL errors moved down the files to the next non-JS (i.e. Liquid) lines.

I.e., YAML/Liquid errors prevent CodeQL from scanning the remainder of the file for potential errors it would otherwise typically detect.

This may be the reason why issues such as this fail to generate CodeQL alerts.

@roslynwythe roslynwythe moved this from Emergent Requests to Ice box in P: HfLA Website: Project Board Jul 7, 2024
@roslynwythe roslynwythe removed the Draft Issue is still in the process of being created label Jul 7, 2024
@roslynwythe roslynwythe removed their assignment Jul 7, 2024
@ExperimentsInHonesty ExperimentsInHonesty added the Dependency An issue is blocking the completion or starting of another issue label Aug 30, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Complexity: See issue making label See the Issue Making label to understand the issue writing difficulty level Dependency An issue is blocking the completion or starting of another issue ER Emergent Request Feature: Code Alerts manual dependency release role: back end/devOps Tasks for back-end developers size: 0.25pt Can be done in 0.5 to 1.5 hours
Projects
P: HfLA Website: Project Board
Status: Ice box
Milestone
02. Security
Development

No branches or pull requests
3 participants
@roslynwythe @ExperimentsInHonesty @elliot-d-kim