Skip to content

Commit

Permalink
Fix semgrep scan workflow (#312)
Browse files Browse the repository at this point in the history
* Clean file path

* Specific permissions for semgrep job

* Add nosemgrep rules

* Update CHANGELOG.md
  • Loading branch information
waybackarchiver authored Feb 7, 2023
1 parent 6207ab9 commit 5c55f17
Show file tree
Hide file tree
Showing 10 changed files with 25 additions and 9 deletions.
5 changes: 5 additions & 0 deletions .github/workflows/analysis.yml
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,11 @@ jobs:
name: Semgrep Scan
if: github.actor != 'dependabot[bot]'
uses: wabarc/.github/.github/workflows/reusable-semgrep.yml@main
permissions:
# Needed to upload the results to code-scanning dashboard.
security-events: write
actions: read
contents: read

fossa:
if: github.event_name != 'pull_request'
Expand Down
4 changes: 4 additions & 0 deletions .semgrepignore
Original file line number Diff line number Diff line change
@@ -1 +1,5 @@
# Common large paths
template/views/

# Common test paths
*_test.go
3 changes: 3 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
- Support for `WAYBACK_LISTEN_ADDR` override `WAYBACK_TOR_LOCAL_PORT`
- Defaults to listen `0.0.0.0` for httpd service

### Fixed
- Fix semgrep scan workflow ([#312](https://github.com/wabarc/wayback/pull/312))

## [0.18.1] - 2022-10-30

### Fixed
Expand Down
1 change: 1 addition & 0 deletions cmd/wayback/pprof.go
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
// license that can be found in the LICENSE file.
package main

// nosemgrep: gitlab.gosec.G108-1
import (
"log"
"net"
Expand Down
3 changes: 2 additions & 1 deletion cmd/wayback/wayback.go
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ import (
"fmt"
"net/url"
"os"
"path/filepath"
"strings"
"time"

Expand Down Expand Up @@ -137,7 +138,7 @@ func unmarshalArgs(args []string) (urls []*url.URL, err error) {

func readFromFile(s string) (urls []*url.URL) {
if helper.Exists(s) {
file, err := os.Open(s)
file, err := os.Open(filepath.Clean(s))
if err != nil {
return
}
Expand Down
4 changes: 2 additions & 2 deletions config/parser.go
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ func (p *Parser) ParseEnvironmentVariables() (*Options, error) {
func (p *Parser) ParseFile(filename string) (*Options, error) {
if filename == "" {
for _, path := range defaultFilenames() {
_, err := os.Open(path)
_, err := os.Open(filepath.Clean(path))
if err != nil {
continue
}
Expand All @@ -46,7 +46,7 @@ func (p *Parser) ParseFile(filename string) (*Options, error) {
}
}

fp, err := os.Open(filename)
fp, err := os.Open(filepath.Clean(filename))
if err != nil {
return nil, err
}
Expand Down
2 changes: 1 addition & 1 deletion publish/notion.go
Original file line number Diff line number Diff line change
Expand Up @@ -265,7 +265,7 @@ func download(u *url.URL) (path string, err error) {
}
defer fd.Close()

resp, err := http.Get(u.String())
resp, err := http.Get(u.String()) // nosemgrep: gitlab.gosec.G104-1.G107-1, gitlab.gosec.G107-1, gitlab.gosec.G108-1
if err != nil {
return path, err
}
Expand Down
4 changes: 2 additions & 2 deletions reduxer/reduxer.go
Original file line number Diff line number Diff line change
Expand Up @@ -372,7 +372,7 @@ func media(ctx context.Context, dir, in string) string {
args = append(args, "--verbose", "--print-traffic")
}

cmd := exec.CommandContext(ctx, ytdl, args...)
cmd := exec.CommandContext(ctx, ytdl, args...) // nosemgrep: gitlab.gosec.G204-1
logger.Debug("youtube-dl args: %s", cmd.String())

if err := run(cmd); err != nil {
Expand All @@ -391,7 +391,7 @@ func media(ctx context.Context, dir, in string) string {
args := []string{
"--output-filename=" + fp, in,
}
cmd := exec.CommandContext(ctx, youget, args...)
cmd := exec.CommandContext(ctx, youget, args...) // nosemgrep: gitlab.gosec.G204-1
logger.Debug("youget args: %s", cmd.String())

if err := run(cmd); err != nil {
Expand Down
3 changes: 2 additions & 1 deletion service/httpd/tor.go
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ import (
"net/http"
"os"
"os/exec"
"path/filepath"
"time"

// "github.com/ipsn/go-libtor"
Expand Down Expand Up @@ -115,7 +116,7 @@ func (t *Tor) torrc() string {
if torPortBusy() {
return ""
}
if _, err := os.Open(config.Opts.TorrcFile()); err != nil {
if _, err := os.Open(filepath.Clean(config.Opts.TorrcFile())); err != nil {
return ""
}
return config.Opts.TorrcFile()
Expand Down
5 changes: 3 additions & 2 deletions service/utils.go
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ import (
"net/url"
"os"
"path"
"path/filepath"
"strings"
"sync"

Expand Down Expand Up @@ -116,7 +117,7 @@ func UploadToDiscord(art reduxer.Artifact) (files []*discord.File) {
upper := config.Opts.MaxAttachSize("discord")
for _, fp := range filterArtifact(art, upper) {
logger.Debug("open file: %s", fp)
rd, err := os.Open(fp)
rd, err := os.Open(filepath.Clean(fp))
if err != nil {
logger.Error("open file failed: %v", err)
continue
Expand All @@ -135,7 +136,7 @@ func UploadToSlack(client *slack.Client, art reduxer.Artifact, channel, timestam

upper := config.Opts.MaxAttachSize("slack")
for _, fp := range filterArtifact(art, upper) {
rd, e := os.Open(fp)
rd, e := os.Open(filepath.Clean(fp))
if e != nil {
err = errors.Wrap(err, e.Error())
continue
Expand Down

0 comments on commit 5c55f17

Please sign in to comment.