diff --git a/libraries/Adapters/Microsoft.Bot.Builder.Adapters.Webex/WebexClientWrapper.cs b/libraries/Adapters/Microsoft.Bot.Builder.Adapters.Webex/WebexClientWrapper.cs index 982739877c..479542aac2 100644 --- a/libraries/Adapters/Microsoft.Bot.Builder.Adapters.Webex/WebexClientWrapper.cs +++ b/libraries/Adapters/Microsoft.Bot.Builder.Adapters.Webex/WebexClientWrapper.cs @@ -71,14 +71,14 @@ public virtual bool ValidateSignature(HttpRequest request, string jsonPayload) ? request.Headers[SparkSignature].ToString().ToUpperInvariant() : throw new InvalidOperationException($"HttpRequest is missing \"{SparkSignature}\""); -#pragma warning disable CA5350 // Webex API uses SHA1 as cryptographic algorithm. - using (var hmac = new HMACSHA1(Encoding.UTF8.GetBytes(Options.WebexSecret))) //lgtm[cs/weak-encryption] +#pragma warning disable CA5350 + using (var hmac = new HMACSHA1(Encoding.UTF8.GetBytes(Options.WebexSecret))) // CODEQL [cs/weak-encryption] Webex API uses SHA1 as cryptographic algorithm. { var hashArray = hmac.ComputeHash(Encoding.UTF8.GetBytes(jsonPayload)); var hash = BitConverter.ToString(hashArray).Replace("-", string.Empty).ToUpperInvariant(); return signature == hash; } -#pragma warning restore CA5350 // Webex API uses SHA1 as cryptographic algorithm. +#pragma warning restore CA5350 } /// diff --git a/libraries/Microsoft.Bot.Builder.Azure.Blobs/BlobsTranscriptStore.cs b/libraries/Microsoft.Bot.Builder.Azure.Blobs/BlobsTranscriptStore.cs index 5b5685f844..924c2d8c96 100644 --- a/libraries/Microsoft.Bot.Builder.Azure.Blobs/BlobsTranscriptStore.cs +++ b/libraries/Microsoft.Bot.Builder.Azure.Blobs/BlobsTranscriptStore.cs @@ -114,7 +114,7 @@ internal BlobsTranscriptStore(BlobContainerClient containerClient, JsonSerialize _jsonSerializer = jsonSerializer ?? JsonSerializer.Create(new JsonSerializerSettings { - TypeNameHandling = TypeNameHandling.All, // lgtm [cs/unsafe-type-name-handling] + TypeNameHandling = TypeNameHandling.All, // CODEQL [cs/unsafe-type-name-handling] we use All so that we get typed roundtrip out of storage, but we don't use validation because we don't know what types are valid MaxDepth = null, }); } diff --git a/libraries/Microsoft.Bot.Builder.Azure/AzureBlobStorage.cs b/libraries/Microsoft.Bot.Builder.Azure/AzureBlobStorage.cs index c2a025a196..d336db16c5 100644 --- a/libraries/Microsoft.Bot.Builder.Azure/AzureBlobStorage.cs +++ b/libraries/Microsoft.Bot.Builder.Azure/AzureBlobStorage.cs @@ -33,8 +33,7 @@ public class AzureBlobStorage : IStorage { private static readonly JsonSerializer JsonSerializer = JsonSerializer.Create(new JsonSerializerSettings { - // we use All so that we get typed roundtrip out of storage, but we don't use validation because we don't know what types are valid - TypeNameHandling = TypeNameHandling.All, // lgtm [cs/unsafe-type-name-handling] + TypeNameHandling = TypeNameHandling.All, // CODEQL [cs/unsafe-type-name-handling] we use All so that we get typed roundtrip out of storage, but we don't use validation because we don't know what types are valid MaxDepth = null, }); diff --git a/libraries/Microsoft.Bot.Builder.Azure/CosmosDbPartitionedStorage.cs b/libraries/Microsoft.Bot.Builder.Azure/CosmosDbPartitionedStorage.cs index a8bc9b7fe7..8e1ff78578 100644 --- a/libraries/Microsoft.Bot.Builder.Azure/CosmosDbPartitionedStorage.cs +++ b/libraries/Microsoft.Bot.Builder.Azure/CosmosDbPartitionedStorage.cs @@ -24,7 +24,7 @@ public class CosmosDbPartitionedStorage : IStorage, IDisposable private readonly JsonSerializer _jsonSerializer = JsonSerializer.Create(new JsonSerializerSettings { - TypeNameHandling = TypeNameHandling.All, // lgtm [cs/unsafe-type-name-handling] + TypeNameHandling = TypeNameHandling.All, // CODEQL [cs/unsafe-type-name-handling] we use All so that we get typed roundtrip out of storage, but we don't use validation because we don't know what types are valid MaxDepth = null }); diff --git a/libraries/Microsoft.Bot.Builder/MemoryStorage.cs b/libraries/Microsoft.Bot.Builder/MemoryStorage.cs index 839a947c9d..3773008c25 100644 --- a/libraries/Microsoft.Bot.Builder/MemoryStorage.cs +++ b/libraries/Microsoft.Bot.Builder/MemoryStorage.cs @@ -18,7 +18,7 @@ public class MemoryStorage : IStorage { private static readonly JsonSerializer StateJsonSerializer = new JsonSerializer() { - TypeNameHandling = TypeNameHandling.All, // lgtm [cs/unsafe-type-name-handling] + TypeNameHandling = TypeNameHandling.All, // CODEQL [cs/unsafe-type-name-handling] we use All so that we get typed roundtrip out of storage, but we don't use validation because we don't know what types are valid ReferenceLoopHandling = ReferenceLoopHandling.Error, MaxDepth = null }; diff --git a/libraries/Microsoft.Bot.Connector/Authentication/AseChannelValidation.cs b/libraries/Microsoft.Bot.Connector/Authentication/AseChannelValidation.cs index 581868bb7a..ed59065a47 100644 --- a/libraries/Microsoft.Bot.Connector/Authentication/AseChannelValidation.cs +++ b/libraries/Microsoft.Bot.Connector/Authentication/AseChannelValidation.cs @@ -31,8 +31,7 @@ public static class AseChannelValidation { ValidateIssuer = true, - // Audience validation takes place manually in code. - ValidateAudience = false, // lgtm[cs/web/missing-token-validation] + ValidateAudience = false, // CODEQL [cs/web/missing-token-validation] Audience validation takes place manually in code. ValidateLifetime = true, ClockSkew = TimeSpan.FromMinutes(5), RequireSignedTokens = true, diff --git a/libraries/Microsoft.Bot.Connector/Authentication/ChannelValidation.cs b/libraries/Microsoft.Bot.Connector/Authentication/ChannelValidation.cs index 3788b00c70..15bff15522 100644 --- a/libraries/Microsoft.Bot.Connector/Authentication/ChannelValidation.cs +++ b/libraries/Microsoft.Bot.Connector/Authentication/ChannelValidation.cs @@ -25,8 +25,7 @@ public static class ChannelValidation ValidateIssuer = true, ValidIssuers = new[] { AuthenticationConstants.ToBotFromChannelTokenIssuer }, - // Audience validation takes place in JwtTokenExtractor - ValidateAudience = false, // lgtm[cs/web/missing-token-validation] + ValidateAudience = false, // CODEQL [cs/web/missing-token-validation] Audience validation takes place in JwtTokenExtractor ValidateLifetime = true, ClockSkew = TimeSpan.FromMinutes(5), RequireSignedTokens = true, diff --git a/libraries/Microsoft.Bot.Connector/Authentication/EmulatorValidation.cs b/libraries/Microsoft.Bot.Connector/Authentication/EmulatorValidation.cs index aa2ef1f92b..602bf4cd47 100644 --- a/libraries/Microsoft.Bot.Connector/Authentication/EmulatorValidation.cs +++ b/libraries/Microsoft.Bot.Connector/Authentication/EmulatorValidation.cs @@ -37,8 +37,7 @@ public static class EmulatorValidation "https://login.microsoftonline.us/f8cdef31-a31e-4b4a-93e4-5f571e91255a/v2.0", // Auth for US Gov, 2.0 token }, - // Audience validation takes place manually in code. - ValidateAudience = false, // lgtm[cs/web/missing-token-validation] + ValidateAudience = false, // CODEQL [cs/web/missing-token-validation] Audience validation takes place manually in code. ValidateLifetime = true, ClockSkew = TimeSpan.FromMinutes(5), RequireSignedTokens = true, diff --git a/libraries/Microsoft.Bot.Connector/Authentication/EnterpriseChannelValidation.cs b/libraries/Microsoft.Bot.Connector/Authentication/EnterpriseChannelValidation.cs index 0bd56742d9..c0429bebc5 100644 --- a/libraries/Microsoft.Bot.Connector/Authentication/EnterpriseChannelValidation.cs +++ b/libraries/Microsoft.Bot.Connector/Authentication/EnterpriseChannelValidation.cs @@ -26,8 +26,7 @@ public sealed class EnterpriseChannelValidation ValidateIssuer = true, ValidIssuers = new[] { AuthenticationConstants.ToBotFromChannelTokenIssuer }, - // Audience validation takes place in JwtTokenExtractor - ValidateAudience = false, // lgtm[cs/web/missing-token-validation] + ValidateAudience = false, // CODEQL [cs/web/missing-token-validation] Audience validation takes place in JwtTokenExtractor ValidateLifetime = true, ClockSkew = TimeSpan.FromMinutes(5), RequireSignedTokens = true, diff --git a/libraries/Microsoft.Bot.Connector/Authentication/GovernmentChannelValidation.cs b/libraries/Microsoft.Bot.Connector/Authentication/GovernmentChannelValidation.cs index 2e3eefd22c..aa0b62b671 100644 --- a/libraries/Microsoft.Bot.Connector/Authentication/GovernmentChannelValidation.cs +++ b/libraries/Microsoft.Bot.Connector/Authentication/GovernmentChannelValidation.cs @@ -25,8 +25,7 @@ public sealed class GovernmentChannelValidation ValidateIssuer = true, ValidIssuers = new[] { GovernmentAuthenticationConstants.ToBotFromChannelTokenIssuer }, - // Audience validation takes place in JwtTokenExtractor - ValidateAudience = false, // lgtm[cs/web/missing-token-validation] + ValidateAudience = false, // CODEQL [cs/web/missing-token-validation] Audience validation takes place in JwtTokenExtractor ValidateLifetime = true, ClockSkew = TimeSpan.FromMinutes(5), RequireSignedTokens = true, diff --git a/libraries/Microsoft.Bot.Connector/Authentication/ParameterizedBotFrameworkAuthentication.cs b/libraries/Microsoft.Bot.Connector/Authentication/ParameterizedBotFrameworkAuthentication.cs index 60d5171795..d753b1972f 100644 --- a/libraries/Microsoft.Bot.Connector/Authentication/ParameterizedBotFrameworkAuthentication.cs +++ b/libraries/Microsoft.Bot.Connector/Authentication/ParameterizedBotFrameworkAuthentication.cs @@ -210,8 +210,7 @@ private async Task SkillValidation_AuthenticateChannelTokenAsync "https://login.microsoftonline.us/cab8a31a-1906-4287-a0d8-4eef66b95f6e/v2.0" // Auth for US Gov, 2.0 token }, - // Audience validation takes place manually in code. - ValidateAudience = true, // lgtm[cs/web/missing-token-validation] + ValidateAudience = true, // CODEQL [cs/web/missing-token-validation] Audience validation takes place manually in code. ValidateLifetime = true, ClockSkew = TimeSpan.FromMinutes(5), RequireSignedTokens = true @@ -300,8 +299,7 @@ private async Task EmulatorValidation_AuthenticateEmulatorTokenA "https://login.microsoftonline.us/cab8a31a-1906-4287-a0d8-4eef66b95f6e/v2.0", // Auth for US Gov, 2.0 token }, - // Audience validation takes place manually in code. - ValidateAudience = false, // lgtm[cs/web/missing-token-validation] + ValidateAudience = false, // CODEQL [cs/web/missing-token-validation] Audience validation takes place manually in code. ValidateLifetime = true, ClockSkew = TimeSpan.FromMinutes(5), RequireSignedTokens = true, @@ -414,8 +412,7 @@ private TokenValidationParameters GovernmentChannelValidation_GetTokenValidation ValidateIssuer = true, ValidIssuers = new[] { _toBotFromChannelTokenIssuer }, - // Audience validation takes place in JwtTokenExtractor - ValidateAudience = false, // lgtm[cs/web/missing-token-validation] + ValidateAudience = false, // CODEQL [cs/web/missing-token-validation] Audience validation takes place in JwtTokenExtractor ValidateLifetime = true, ClockSkew = TimeSpan.FromMinutes(5), RequireSignedTokens = true, diff --git a/libraries/Microsoft.Bot.Connector/Authentication/SkillValidation.cs b/libraries/Microsoft.Bot.Connector/Authentication/SkillValidation.cs index 3b86e51b81..2274c9ea4b 100644 --- a/libraries/Microsoft.Bot.Connector/Authentication/SkillValidation.cs +++ b/libraries/Microsoft.Bot.Connector/Authentication/SkillValidation.cs @@ -136,8 +136,7 @@ public static async Task AuthenticateChannelToken(string authHea "https://login.microsoftonline.us/f8cdef31-a31e-4b4a-93e4-5f571e91255a/v2.0", // Auth for US Gov, 2.0 token }, - // Audience validation takes place manually in code. - ValidateAudience = false, // lgtm[cs/web/missing-token-validation] + ValidateAudience = false, // CODEQL [cs/web/missing-token-validation] Audience validation takes place manually in code. ValidateLifetime = true, ClockSkew = TimeSpan.FromMinutes(5), RequireSignedTokens = true diff --git a/tests/Microsoft.Bot.Builder.Azure.Tests/BlobsStorageTests.cs b/tests/Microsoft.Bot.Builder.Azure.Tests/BlobsStorageTests.cs index 5e840d6d56..219c3f1d0e 100644 --- a/tests/Microsoft.Bot.Builder.Azure.Tests/BlobsStorageTests.cs +++ b/tests/Microsoft.Bot.Builder.Azure.Tests/BlobsStorageTests.cs @@ -126,7 +126,7 @@ public async void WriteAsyncWithAllowedTypesSerializationBinder() }); var jsonSerializerSettings = new JsonSerializerSettings { - TypeNameHandling = TypeNameHandling.All, // lgtm [cs/unsafe-type-name-handling] + TypeNameHandling = TypeNameHandling.All, // CODEQL [cs/unsafe-type-name-handling] we use All so that we get typed roundtrip out of storage, but we don't use validation because we don't know what types are valid MaxDepth = null, SerializationBinder = serializationBinder, }; @@ -175,7 +175,7 @@ public async void WriteAsyncWithEmptyAllowedTypesSerializationBinder() var serializationBinder = new AllowedTypesSerializationBinder(); var jsonSerializerSettings = new JsonSerializerSettings { - TypeNameHandling = TypeNameHandling.All, // lgtm [cs/unsafe-type-name-handling] + TypeNameHandling = TypeNameHandling.All, // CODEQL [cs/unsafe-type-name-handling] we use All so that we get typed roundtrip out of storage, but we don't use validation because we don't know what types are valid MaxDepth = null, SerializationBinder = serializationBinder, }; @@ -295,7 +295,7 @@ public async void ReadAsyncWithAllowedTypesSerializationBinder() { var jsonSerializerSettings = new JsonSerializerSettings { - TypeNameHandling = TypeNameHandling.All, // lgtm [cs/unsafe-type-name-handling] + TypeNameHandling = TypeNameHandling.All, // CODEQL [cs/unsafe-type-name-handling] we use All so that we get typed roundtrip out of storage, but we don't use validation because we don't know what types are valid MaxDepth = null, SerializationBinder = new AllowedTypesSerializationBinder( new List @@ -337,7 +337,7 @@ public async void ReadAsyncWithEmptyAllowedTypesSerializationBinder() { var jsonSerializerSettings = new JsonSerializerSettings { - TypeNameHandling = TypeNameHandling.All, // lgtm [cs/unsafe-type-name-handling] + TypeNameHandling = TypeNameHandling.All, // CODEQL [cs/unsafe-type-name-handling] we use All so that we get typed roundtrip out of storage, but we don't use validation because we don't know what types are valid MaxDepth = null, SerializationBinder = new AllowedTypesSerializationBinder(), }; diff --git a/tests/Microsoft.Bot.Builder.Azure.Tests/CosmosDbPartitionedStorageTests.cs b/tests/Microsoft.Bot.Builder.Azure.Tests/CosmosDbPartitionedStorageTests.cs index f16b197a5c..02576e4e0a 100644 --- a/tests/Microsoft.Bot.Builder.Azure.Tests/CosmosDbPartitionedStorageTests.cs +++ b/tests/Microsoft.Bot.Builder.Azure.Tests/CosmosDbPartitionedStorageTests.cs @@ -142,7 +142,7 @@ public async void ReadAsyncWithAllowedTypesSerializationBinder() { var jsonSerializerSettings = new JsonSerializerSettings { - TypeNameHandling = TypeNameHandling.All, // lgtm [cs/unsafe-type-name-handling] + TypeNameHandling = TypeNameHandling.All, // CODEQL [cs/unsafe-type-name-handling] we use All so that we get typed roundtrip out of storage, but we don't use validation because we don't know what types are valid MaxDepth = null, SerializationBinder = new AllowedTypesSerializationBinder( new List @@ -180,7 +180,7 @@ public async void ReadAsyncWithEmptyAllowedTypesSerializationBinder() { var jsonSerializerSettings = new JsonSerializerSettings { - TypeNameHandling = TypeNameHandling.All, // lgtm [cs/unsafe-type-name-handling] + TypeNameHandling = TypeNameHandling.All, // CODEQL [cs/unsafe-type-name-handling] we use All so that we get typed roundtrip out of storage, but we don't use validation because we don't know what types are valid MaxDepth = null, SerializationBinder = new AllowedTypesSerializationBinder(), }; @@ -304,7 +304,7 @@ public async void WriteAsyncWithAllowedTypesSerializationBinder() }); var jsonSerializerSettings = new JsonSerializerSettings { - TypeNameHandling = TypeNameHandling.All, // lgtm [cs/unsafe-type-name-handling] + TypeNameHandling = TypeNameHandling.All, // CODEQL [cs/unsafe-type-name-handling] we use All so that we get typed roundtrip out of storage, but we don't use validation because we don't know what types are valid MaxDepth = null, SerializationBinder = serializationBinder, }; @@ -337,7 +337,7 @@ public async void WriteAsyncWithEmptyAllowedTypesSerializationBinder() var serializationBinder = new AllowedTypesSerializationBinder(); var jsonSerializerSettings = new JsonSerializerSettings { - TypeNameHandling = TypeNameHandling.All, // lgtm [cs/unsafe-type-name-handling] + TypeNameHandling = TypeNameHandling.All, // CODEQL [cs/unsafe-type-name-handling] we use All so that we get typed roundtrip out of storage, but we don't use validation because we don't know what types are valid MaxDepth = null, SerializationBinder = serializationBinder, }; diff --git a/tests/Microsoft.Bot.Connector.Tests/Authentication/JwtTokenExtractorTests.cs b/tests/Microsoft.Bot.Connector.Tests/Authentication/JwtTokenExtractorTests.cs index c9538af1e1..82b597b11a 100644 --- a/tests/Microsoft.Bot.Connector.Tests/Authentication/JwtTokenExtractorTests.cs +++ b/tests/Microsoft.Bot.Connector.Tests/Authentication/JwtTokenExtractorTests.cs @@ -147,8 +147,7 @@ private static TokenValidationParameters CreateTokenValidationParameters(X509Cer ValidateIssuer = false, ValidIssuers = new[] { AuthenticationConstants.ToBotFromChannelTokenIssuer }, - // Audience validation takes place in JwtTokenExtractor - ValidateAudience = false, // lgtm[cs/web/missing-token-validation] + ValidateAudience = false, // CODEQL [cs/web/missing-token-validation] Audience validation takes place in JwtTokenExtractor ValidateLifetime = true, ValidateIssuerSigningKey = true, ClockSkew = TimeSpan.FromMinutes(5),