Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[DNM] Fix CodeQL reported vulnerabilities #2398

Draft
wants to merge 4 commits into
base: main
Choose a base branch
from
Draft

[DNM] Fix CodeQL reported vulnerabilities #2398

wants to merge 4 commits into from

Conversation

KipSigei
Copy link
Contributor

@KipSigei KipSigei commented Apr 3, 2023
edited
Loading

Changes / Features implemented

Fixes the following Vulnerabilities

Steps taken to verify this change does what is intended

Side effects of implementing this change

Before submitting this PR for review, please make sure you have:

  • Included tests
  • Updated documentation

Closes #

@KipSigei
update inefficient regex
d8a39b5 
Signed-off-by: Kipchirchir Sigei <arapgodsmack@gmail.com>
@KipSigei
Use sha256 hashing instead of md5
5b283c2 
Signed-off-by: Kipchirchir Sigei <arapgodsmack@gmail.com>
@KipSigei
Improve URL and file name validation
1261365 
Signed-off-by: Kipchirchir Sigei <arapgodsmack@gmail.com>
@KipSigei
Update hash fields max length on xform and metadata models
f40ced4 
Signed-off-by: Kipchirchir Sigei <arapgodsmack@gmail.com>
github-advanced-security[bot]
github-advanced-security bot found potential problems Apr 3, 2023
View reviewed changes
onadata/libs/utils/export_tools.py
new_filename = f"{basename}-{index}{ext}"
# check for an index i.e. dash then number then dot extension
regex = re.compile(r"(.+?)\-(\d+)(\..+)")
match = regex.match(filename)

Check failure

Code scanning / CodeQL

Polynomial regular expression used on uncontrolled data

This [regular expression](1) that depends on a [user-provided value](2) may run slow on strings with many repetitions of 'a'.
onadata/apps/logger/models/xform.py
@@ -962,22 +962,22 @@

# Capture urls within form title
if re.search(
r"^(?:http(s)?:\/\/)?[\w.-]+(?:\.[\w\.-]+)+[\w\-\._~:/?#[\]@!\$&'\(\)\*\+,;=.]+$", # noqa
r"^(?:http(s)?:\/\/)?[\w\-.]+(?:\.[\w\-.]+)+[\w\-.~:/?#[\]@!\$&'()*+,;=]+$", # noqa

Check failure

Code scanning / CodeQL

Inefficient regular expression

This part of the regular expression may cause exponential backtracking on strings starting with '-.' and containing many repetitions of '-.'.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@KipSigei