Create codeql-analysis.yml #1096
Conversation
|
Thank you, there are certainly some improvements that can be made from that scanning report. The proper domain detection for example would be a great PR if you want to take that on as well 😉. As far as the command injection, we might be able to do more? but I feel the nature of the tool doesn't include taking unsanitized input from systems, and if a user did put |
|
@pandyaved98 can you update the PR more closely reflect: https://github.com/iterative/terraform-provider-iterative/blob/master/.github/workflows/codeql-analysis.yml |
This comment was marked as duplicate.
This comment was marked as duplicate.
None of these issues seem critical from a security standpoint; i.e. command execution is required beforehand, rendering them futile. 🤷🏼♂️ Still, it would be nice to escape properly the affected values. 👍🏼 |
|
some of the values are pretty explicit in what they accept perhaps some form of input validation could be used? |
|
@pandyaved98 if you are willing to make the requested modifications please do so; if you don't have the time or are unable to, I'll merge this to an intermediate branch to tweak. That way your contribution is not in limbo for too long. |
|
🔔 @pandyaved98, feel free to ping us if you need workflow run approvals; I took some days of vacation and missed the last workflow run request. 🙈 |
0x2b3bfa0
force-pushed
the
master
branch
11 times, most recently
from
baee693 to
1c5325f
Compare
0x2b3bfa0
force-pushed
the
master
branch
4 times, most recently
from
eb1e5a3 to
9e8bdf4
Compare
0x2b3bfa0
force-pushed
the
master
branch
5 times, most recently
from
7243fd2 to
1e081f3
Compare
0x2b3bfa0
force-pushed
the
master
branch
3 times, most recently
from
e2bed3a to
fe9a06f
Compare
There are some Critical and High Priority bugs.