microsoft · gandiddi · May 8, 2024 · May 8, 2024 · May 8, 2024
@@ -71,14 +71,14 @@ public virtual bool ValidateSignature(HttpRequest request, string jsonPayload)
                 ? request.Headers[SparkSignature].ToString().ToUpperInvariant()
                 : throw new InvalidOperationException($"HttpRequest is missing \"{SparkSignature}\"");
 
-#pragma warning disable CA5350 // Webex API uses SHA1 as cryptographic algorithm.
-            using (var hmac = new HMACSHA1(Encoding.UTF8.GetBytes(Options.WebexSecret))) //lgtm[cs/weak-encryption]
+#pragma warning disable CA5350
+            using (var hmac = new HMACSHA1(Encoding.UTF8.GetBytes(Options.WebexSecret))) // CODEQL [cs/weak-encryption] Webex API uses SHA1 as cryptographic algorithm.
             {
                 var hashArray = hmac.ComputeHash(Encoding.UTF8.GetBytes(jsonPayload));
                 var hash = BitConverter.ToString(hashArray).Replace("-", string.Empty).ToUpperInvariant();
                 return signature == hash;
             }
-#pragma warning restore CA5350 // Webex API uses SHA1 as cryptographic algorithm.
+#pragma warning restore CA5350
         }
 
         /// <summary>

@@ -114,7 +114,7 @@ internal BlobsTranscriptStore(BlobContainerClient containerClient, JsonSerialize
 
             _jsonSerializer = jsonSerializer ?? JsonSerializer.Create(new JsonSerializerSettings
             {
-                TypeNameHandling = TypeNameHandling.All, // lgtm [cs/unsafe-type-name-handling]
+                TypeNameHandling = TypeNameHandling.All, // CODEQL [cs/unsafe-type-name-handling] we use All so that we get typed roundtrip out of storage, but we don't use validation because we don't know what types are valid
                 MaxDepth = null,
             });
         }

@@ -33,8 +33,7 @@ public class AzureBlobStorage : IStorage
     {
         private static readonly JsonSerializer JsonSerializer = JsonSerializer.Create(new JsonSerializerSettings
         {
-            // we use All so that we get typed roundtrip out of storage, but we don't use validation because we don't know what types are valid
-            TypeNameHandling = TypeNameHandling.All, // lgtm [cs/unsafe-type-name-handling]
+            TypeNameHandling = TypeNameHandling.All, // CODEQL [cs/unsafe-type-name-handling] we use All so that we get typed roundtrip out of storage, but we don't use validation because we don't know what types are valid
             MaxDepth = null,
         });
 

@@ -24,7 +24,7 @@ public class CosmosDbPartitionedStorage : IStorage, IDisposable
 
         private readonly JsonSerializer _jsonSerializer = JsonSerializer.Create(new JsonSerializerSettings
         {
-            TypeNameHandling = TypeNameHandling.All, // lgtm [cs/unsafe-type-name-handling]
+            TypeNameHandling = TypeNameHandling.All, // CODEQL [cs/unsafe-type-name-handling] we use All so that we get typed roundtrip out of storage, but we don't use validation because we don't know what types are valid
             MaxDepth = null
         });
 

@@ -18,7 +18,7 @@ public class MemoryStorage : IStorage
     {
         private static readonly JsonSerializer StateJsonSerializer = new JsonSerializer()
         {
-            TypeNameHandling = TypeNameHandling.All, // lgtm [cs/unsafe-type-name-handling]
+            TypeNameHandling = TypeNameHandling.All, // CODEQL [cs/unsafe-type-name-handling] we use All so that we get typed roundtrip out of storage, but we don't use validation because we don't know what types are valid
             ReferenceLoopHandling = ReferenceLoopHandling.Error,
             MaxDepth = null
         };

@@ -31,8 +31,7 @@ public static class AseChannelValidation
             {
                 ValidateIssuer = true,
 
-                // Audience validation takes place manually in code.
-                ValidateAudience = false, // lgtm[cs/web/missing-token-validation]
+                ValidateAudience = false, // CODEQL [cs/web/missing-token-validation] Audience validation takes place manually in code.
                 ValidateLifetime = true,
                 ClockSkew = TimeSpan.FromMinutes(5),
                 RequireSignedTokens = true,

@@ -25,8 +25,7 @@ public static class ChannelValidation
                 ValidateIssuer = true,
                 ValidIssuers = new[] { AuthenticationConstants.ToBotFromChannelTokenIssuer },
 
-                // Audience validation takes place in JwtTokenExtractor
-                ValidateAudience = false, // lgtm[cs/web/missing-token-validation]
+                ValidateAudience = false, // CODEQL [cs/web/missing-token-validation] Audience validation takes place in JwtTokenExtractor
                 ValidateLifetime = true,
                 ClockSkew = TimeSpan.FromMinutes(5),
                 RequireSignedTokens = true,

@@ -37,8 +37,7 @@ public static class EmulatorValidation
                     "https://login.microsoftonline.us/f8cdef31-a31e-4b4a-93e4-5f571e91255a/v2.0",       // Auth for US Gov, 2.0 token
                 },
 
-                // Audience validation takes place manually in code.
-                ValidateAudience = false, // lgtm[cs/web/missing-token-validation]
+                ValidateAudience = false, // CODEQL [cs/web/missing-token-validation] Audience validation takes place manually in code.
                 ValidateLifetime = true,
                 ClockSkew = TimeSpan.FromMinutes(5),
                 RequireSignedTokens = true,

@@ -26,8 +26,7 @@ public sealed class EnterpriseChannelValidation
                 ValidateIssuer = true,
                 ValidIssuers = new[] { AuthenticationConstants.ToBotFromChannelTokenIssuer },
 
-                // Audience validation takes place in JwtTokenExtractor
-                ValidateAudience = false, // lgtm[cs/web/missing-token-validation]
+                ValidateAudience = false, // CODEQL [cs/web/missing-token-validation] Audience validation takes place in JwtTokenExtractor
                 ValidateLifetime = true,
                 ClockSkew = TimeSpan.FromMinutes(5),
                 RequireSignedTokens = true,

@@ -25,8 +25,7 @@ public sealed class GovernmentChannelValidation
                 ValidateIssuer = true,
                 ValidIssuers = new[] { GovernmentAuthenticationConstants.ToBotFromChannelTokenIssuer },
 
-                // Audience validation takes place in JwtTokenExtractor
-                ValidateAudience = false, // lgtm[cs/web/missing-token-validation]
+                ValidateAudience = false, // CODEQL [cs/web/missing-token-validation] Audience validation takes place in JwtTokenExtractor
                 ValidateLifetime = true,
                 ClockSkew = TimeSpan.FromMinutes(5),
                 RequireSignedTokens = true,

@@ -210,8 +210,7 @@ private async Task<ClaimsIdentity> SkillValidation_AuthenticateChannelTokenAsync
                     "https://login.microsoftonline.us/cab8a31a-1906-4287-a0d8-4eef66b95f6e/v2.0" // Auth for US Gov, 2.0 token
                     },
 
-                    // Audience validation takes place manually in code.
-                    ValidateAudience = true, // lgtm[cs/web/missing-token-validation]
+                    ValidateAudience = true, // CODEQL [cs/web/missing-token-validation] Audience validation takes place manually in code.
                     ValidateLifetime = true,
                     ClockSkew = TimeSpan.FromMinutes(5),
                     RequireSignedTokens = true
@@ -300,8 +299,7 @@ private async Task<ClaimsIdentity> EmulatorValidation_AuthenticateEmulatorTokenA
                     "https://login.microsoftonline.us/cab8a31a-1906-4287-a0d8-4eef66b95f6e/v2.0", // Auth for US Gov, 2.0 token
                     },
 
-                    // Audience validation takes place manually in code.
-                    ValidateAudience = false, // lgtm[cs/web/missing-token-validation]
+                    ValidateAudience = false, // CODEQL [cs/web/missing-token-validation] Audience validation takes place manually in code.
                     ValidateLifetime = true,
                     ClockSkew = TimeSpan.FromMinutes(5),
                     RequireSignedTokens = true,
@@ -414,8 +412,7 @@ private TokenValidationParameters GovernmentChannelValidation_GetTokenValidation
                 ValidateIssuer = true,
                 ValidIssuers = new[] { _toBotFromChannelTokenIssuer },
 
-                // Audience validation takes place in JwtTokenExtractor
-                ValidateAudience = false, // lgtm[cs/web/missing-token-validation]
+                ValidateAudience = false, // CODEQL [cs/web/missing-token-validation] Audience validation takes place in JwtTokenExtractor
                 ValidateLifetime = true,
                 ClockSkew = TimeSpan.FromMinutes(5),
                 RequireSignedTokens = true,

@@ -136,8 +136,7 @@ public static async Task<ClaimsIdentity> AuthenticateChannelToken(string authHea
                     "https://login.microsoftonline.us/f8cdef31-a31e-4b4a-93e4-5f571e91255a/v2.0", // Auth for US Gov, 2.0 token
                 },
 
-                // Audience validation takes place manually in code.
-                ValidateAudience = false, // lgtm[cs/web/missing-token-validation]
+                ValidateAudience = false, // CODEQL [cs/web/missing-token-validation] Audience validation takes place manually in code.
                 ValidateLifetime = true,
                 ClockSkew = TimeSpan.FromMinutes(5),
                 RequireSignedTokens = true

@@ -126,7 +126,7 @@ public async void WriteAsyncWithAllowedTypesSerializationBinder()
                 });
             var jsonSerializerSettings = new JsonSerializerSettings
             {
-                TypeNameHandling = TypeNameHandling.All, // lgtm [cs/unsafe-type-name-handling]
+                TypeNameHandling = TypeNameHandling.All, // CODEQL [cs/unsafe-type-name-handling] we use All so that we get typed roundtrip out of storage, but we don't use validation because we don't know what types are valid
                 MaxDepth = null,
                 SerializationBinder = serializationBinder,
             };
@@ -175,7 +175,7 @@ public async void WriteAsyncWithEmptyAllowedTypesSerializationBinder()
             var serializationBinder = new AllowedTypesSerializationBinder();
             var jsonSerializerSettings = new JsonSerializerSettings
             {
-                TypeNameHandling = TypeNameHandling.All, // lgtm [cs/unsafe-type-name-handling]
+                TypeNameHandling = TypeNameHandling.All, // CODEQL [cs/unsafe-type-name-handling] we use All so that we get typed roundtrip out of storage, but we don't use validation because we don't know what types are valid
                 MaxDepth = null,
                 SerializationBinder = serializationBinder,
             };
@@ -295,7 +295,7 @@ public async void ReadAsyncWithAllowedTypesSerializationBinder()
         {            
             var jsonSerializerSettings = new JsonSerializerSettings
             {
-                TypeNameHandling = TypeNameHandling.All, // lgtm [cs/unsafe-type-name-handling]
+                TypeNameHandling = TypeNameHandling.All, // CODEQL [cs/unsafe-type-name-handling] we use All so that we get typed roundtrip out of storage, but we don't use validation because we don't know what types are valid
                 MaxDepth = null,
                 SerializationBinder = new AllowedTypesSerializationBinder(
                     new List<Type>
@@ -337,7 +337,7 @@ public async void ReadAsyncWithEmptyAllowedTypesSerializationBinder()
         {            
             var jsonSerializerSettings = new JsonSerializerSettings
             {
-                TypeNameHandling = TypeNameHandling.All, // lgtm [cs/unsafe-type-name-handling]
+                TypeNameHandling = TypeNameHandling.All, // CODEQL [cs/unsafe-type-name-handling] we use All so that we get typed roundtrip out of storage, but we don't use validation because we don't know what types are valid
                 MaxDepth = null,
                 SerializationBinder = new AllowedTypesSerializationBinder(),
             };

@@ -142,7 +142,7 @@ public async void ReadAsyncWithAllowedTypesSerializationBinder()
         {
             var jsonSerializerSettings = new JsonSerializerSettings
             {
-                TypeNameHandling = TypeNameHandling.All, // lgtm [cs/unsafe-type-name-handling]
+                TypeNameHandling = TypeNameHandling.All, // CODEQL [cs/unsafe-type-name-handling] we use All so that we get typed roundtrip out of storage, but we don't use validation because we don't know what types are valid
                 MaxDepth = null,
                 SerializationBinder = new AllowedTypesSerializationBinder(
                     new List<Type>
@@ -180,7 +180,7 @@ public async void ReadAsyncWithEmptyAllowedTypesSerializationBinder()
         {
             var jsonSerializerSettings = new JsonSerializerSettings
             {
-                TypeNameHandling = TypeNameHandling.All, // lgtm [cs/unsafe-type-name-handling]
+                TypeNameHandling = TypeNameHandling.All, // CODEQL [cs/unsafe-type-name-handling] we use All so that we get typed roundtrip out of storage, but we don't use validation because we don't know what types are valid
                 MaxDepth = null,
                 SerializationBinder = new AllowedTypesSerializationBinder(),
             };
@@ -304,7 +304,7 @@ public async void WriteAsyncWithAllowedTypesSerializationBinder()
                 });
             var jsonSerializerSettings = new JsonSerializerSettings
             {
-                TypeNameHandling = TypeNameHandling.All, // lgtm [cs/unsafe-type-name-handling]
+                TypeNameHandling = TypeNameHandling.All, // CODEQL [cs/unsafe-type-name-handling] we use All so that we get typed roundtrip out of storage, but we don't use validation because we don't know what types are valid
                 MaxDepth = null,
                 SerializationBinder = serializationBinder,
             };
@@ -337,7 +337,7 @@ public async void WriteAsyncWithEmptyAllowedTypesSerializationBinder()
             var serializationBinder = new AllowedTypesSerializationBinder();
             var jsonSerializerSettings = new JsonSerializerSettings
             {
-                TypeNameHandling = TypeNameHandling.All, // lgtm [cs/unsafe-type-name-handling]
+                TypeNameHandling = TypeNameHandling.All, // CODEQL [cs/unsafe-type-name-handling] we use All so that we get typed roundtrip out of storage, but we don't use validation because we don't know what types are valid
                 MaxDepth = null,
                 SerializationBinder = serializationBinder,
             };

@@ -147,8 +147,7 @@ private static TokenValidationParameters CreateTokenValidationParameters(X509Cer
                 ValidateIssuer = false,
                 ValidIssuers = new[] { AuthenticationConstants.ToBotFromChannelTokenIssuer },
 
-                // Audience validation takes place in JwtTokenExtractor
-                ValidateAudience = false, // lgtm[cs/web/missing-token-validation]
+                ValidateAudience = false, // CODEQL [cs/web/missing-token-validation] Audience validation takes place in JwtTokenExtractor
                 ValidateLifetime = true,
                 ValidateIssuerSigningKey = true,
                 ClockSkew = TimeSpan.FromMinutes(5),