Add mono-repo filtering example using a workflow matrix #1

nicolaswill · 2024-01-11T11:36:39Z

No description provided.

github-advanced-security · 2024-01-11T11:37:48Z

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

project5/test.js

+var server = http.createServer(function(req, res) {
+  let path = url.parse(req.url, true).query.path;
+
+  fs.readFileSync(path); // NOT OK


project5/test.js

+
+  var obj = bla ? something() : path;
+
+  fs.readFileSync(obj.sub); // NOT OK


project5/test.js

+  if (random()) {
+    obj.sub3 = "safe"
+  }
+  fs.readFileSync(obj.sub3); // NOT OK


project5/test.js

+  fs.readFileSync(obj.sub3); // NOT OK
+
+  obj.sub4 = 
+    fs.readFileSync(obj.sub4) ? // NOT OK


project5/test.js

+
+  obj.sub4 = 
+    fs.readFileSync(obj.sub4) ? // NOT OK
+      fs.readFileSync(obj.sub4) : // NOT OK


project5/test.js

+  obj.sub4 = 
+    fs.readFileSync(obj.sub4) ? // NOT OK
+      fs.readFileSync(obj.sub4) : // NOT OK
+      fs.readFileSync(obj.sub4); // NOT OK


project5/test.js

+
+var server2 = http.createServer(function(req, res) {
+  let path = url.parse(req.url, true).query.path;
+  nodefs.readFileSync(path); // NOT OK


project5/test.js

+
+var server3 = http.createServer(function (req, res) {
+  let path = url.parse(req.url, true).query.path;
+  chownr(path, "someuid", "somegid", function (err) {}); // NOT OK


project5/test.js

+
+const chownr = require("chownr");
+
+var server3 = http.createServer(function (req, res) {


project5/test.js

+  }
+
+  if (random()) {
+    obj.sub3 = "safe"


project6/UnsafeDynamicMethodAccess.js

+
+window.addEventListener('message', (ev) => {
+    let message = JSON.parse(ev.data);
+    window[message.name](message.payload); // NOT OK, but reported by UnsafeDynamicMethodAccess.ql [INCONSISTENCY]


project6/UnsafeDynamicMethodAccess.js

+window.addEventListener('message', (ev) => {
+    let message = JSON.parse(ev.data);
+    window[message.name](message.payload); // NOT OK, but reported by UnsafeDynamicMethodAccess.ql [INCONSISTENCY]
+    new window[message.name](message.payload); // NOT OK, but reported by UnsafeDynamicMethodAccess.ql [INCONSISTENCY]


project6/UnsafeDynamicMethodAccess.js

+    window[`HTMLElement${message.name}`](message.payload); // OK - concatenation restricts choice of methods
+
+    function f() {}
+    f[message.name](message.payload)(); // NOT OK, but reported by UnsafeDynamicMethodAccess.ql [INCONSISTENCY]


project6/UnsafeDynamicMethodAccess.js

+
+    obj[message.name](message.payload); // NOT OK
+
+    window[ev](ev); // NOT OK, but reported by UnsafeDynamicMethodAccess.ql [INCONSISTENCY]


project6/UnsafeDynamicMethodAccess.js

+    function f() {}
+    f[message.name](message.payload)(); // NOT OK, but reported by UnsafeDynamicMethodAccess.ql [INCONSISTENCY]
+
+    obj[message.name](message.payload); // NOT OK


project6/UnsafeDynamicMethodAccess.js

+
+let obj = {};
+
+window.addEventListener('message', (ev) => {


project5/test.js

+
+var server2 = http.createServer(function(req, res) {
+  let path = url.parse(req.url, true).query.path;
+  nodefs.readFileSync(path); // NOT OK


project5/test.js

+
+var server3 = http.createServer(function (req, res) {
+  let path = url.parse(req.url, true).query.path;
+  chownr(path, "someuid", "somegid", function (err) {}); // NOT OK


project5/test.js

+  }
+
+  if (random()) {
+    obj.sub3 = "safe"


project5/test.js

+
+const chownr = require("chownr");
+
+var server3 = http.createServer(function (req, res) {


project6/UnsafeDynamicMethodAccess.js

+    function f() {}
+    f[message.name](message.payload)(); // NOT OK, but reported by UnsafeDynamicMethodAccess.ql [INCONSISTENCY]
+
+    obj[message.name](message.payload); // NOT OK


project6/UnsafeDynamicMethodAccess.js

+
+window.addEventListener('message', (ev) => {
+    let message = JSON.parse(ev.data);
+    window[message.name](message.payload); // NOT OK, but reported by UnsafeDynamicMethodAccess.ql [INCONSISTENCY]


project6/UnsafeDynamicMethodAccess.js

+window.addEventListener('message', (ev) => {
+    let message = JSON.parse(ev.data);
+    window[message.name](message.payload); // NOT OK, but reported by UnsafeDynamicMethodAccess.ql [INCONSISTENCY]
+    new window[message.name](message.payload); // NOT OK, but reported by UnsafeDynamicMethodAccess.ql [INCONSISTENCY]


project6/UnsafeDynamicMethodAccess.js

+    window[`HTMLElement${message.name}`](message.payload); // OK - concatenation restricts choice of methods
+
+    function f() {}
+    f[message.name](message.payload)(); // NOT OK, but reported by UnsafeDynamicMethodAccess.ql [INCONSISTENCY]


project6/UnsafeDynamicMethodAccess.js

+
+    obj[message.name](message.payload); // NOT OK
+
+    window[ev](ev); // NOT OK, but reported by UnsafeDynamicMethodAccess.ql [INCONSISTENCY]


project6/UnsafeDynamicMethodAccess.js

+
+let obj = {};
+
+window.addEventListener('message', (ev) => {


aegilops

Looks good, thanks! One specific change, checkout up to v4, other than that it looks fine and seems to be working

aegilops · 2024-01-12T10:05:21Z

.github/workflows/codeql_mono.yml

+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v3


Can you bump that to v4 please?

.github/workflows/codeql_mono.yml

Co-authored-by: Chad Bentz <[email protected]>

nicolaswill · 2024-09-10T17:15:15Z

Thanks @aegilops & @felickz, just got around to updating this PR.

aegilops · 2024-09-13T16:55:48Z

I can't merge this PR, since there's a branch protection rule preventing me from merging, due to the deliberate (example) vulnerabilities

Nikita Kraiouchkine added 7 commits October 17, 2023 12:31

Create codeql_mono.yml

b56a9d1

Create test.js

a68d8db

Update codeql_mono.yml

4bff199

Update codeql_mono.yml

a577df3

Update codeql_mono.yml

62c9ac8

Create UnsafeDynamicMethodAccess.js

d3ec207

Update codeql_mono.yml

d5ffc10

nicolaswill requested a review from aegilops as a code owner January 11, 2024 11:36

github-advanced-security bot found potential problems Jan 11, 2024

View reviewed changes

nicolaswill changed the title ~~Kraiouchkine patch 1~~ Add mono-repo filtering example using a workflow matrix Jan 11, 2024

aegilops requested changes Jan 12, 2024

View reviewed changes

felickz reviewed Sep 10, 2024

View reviewed changes

.github/workflows/codeql_mono.yml Outdated Show resolved Hide resolved

Update .github/workflows/codeql_mono.yml

2c72cd6

Co-authored-by: Chad Bentz <[email protected]>


		var obj = bla ? something() : path;

		fs.readFileSync(obj.sub); // NOT OK


		const chownr = require("chownr");

		var server3 = http.createServer(function (req, res) {


		obj[message.name](message.payload); // NOT OK

		window[ev](ev); // NOT OK, but reported by UnsafeDynamicMethodAccess.ql [INCONSISTENCY]

Add mono-repo filtering example using a workflow matrix #1

Are you sure you want to change the base?

Add mono-repo filtering example using a workflow matrix #1

Uh oh!

Conversation

nicolaswill commented Jan 11, 2024

Uh oh!

github-advanced-security bot commented Jan 11, 2024

Uh oh!

Check failure

Check failure

Check failure

Check failure

Check failure

Check failure

Check failure

Check failure

Check notice

Check notice

Check failure

Check failure

Check failure

Check failure

Check failure

Check warning

Check failure

Check failure

Check notice

Check notice

Check failure

Check failure

Check failure

Check failure

Check failure

Check warning

aegilops left a comment

Choose a reason for hiding this comment

Uh oh!

aegilops Jan 12, 2024

Choose a reason for hiding this comment

Uh oh!

Uh oh!

nicolaswill commented Sep 10, 2024

Uh oh!

aegilops commented Sep 13, 2024

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants