From be6497dd652bb20b50c8136b3b52de4095d1f106 Mon Sep 17 00:00:00 2001 From: Behnaz Hassanshahi Date: Tue, 21 Dec 2021 06:32:50 +1000 Subject: [PATCH 1/9] feat: enable codeql analysis --- .github/workflows/codeql-analysis.yml | 70 +++++++++++++++++++++++++++ 1 file changed, 70 insertions(+) create mode 100644 .github/workflows/codeql-analysis.yml diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml new file mode 100644 index 00000000..446e6289 --- /dev/null +++ b/.github/workflows/codeql-analysis.yml @@ -0,0 +1,70 @@ +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# You may wish to alter this file to override the set of languages analyzed, +# or to provide custom queries or build logic. +# +# ******** NOTE ******** +# We have attempted to detect the languages in your repository. Please check +# the `language` matrix defined below to confirm you have the correct set of +# supported CodeQL languages. +# +name: "CodeQL" + +on: + push: + branches: [ main ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ main ] + schedule: + - cron: '20 15 * * 3' + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: [ 'javascript', 'python' ] + # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ] + # Learn more about CodeQL language support at https://git.io/codeql-language-support + + steps: + - name: Checkout repository + uses: actions/checkout@v2 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v1 + with: + languages: ${{ matrix.language }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + # queries: ./path/to/local/query, your-org/your-repo/queries@main + + # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). + # If this step fails, then you should remove it and run the build manually (see below) + - name: Autobuild + uses: github/codeql-action/autobuild@v1 + + # ℹī¸ Command-line programs to run using the OS shell. + # 📚 https://git.io/JvXDl + + # ✏ī¸ If the Autobuild fails above, remove it and uncomment the following three lines + # and modify them (or add more) to build your code if your project + # uses a compiled language + + #- run: | + # make bootstrap + # make release + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v1 From c4df67c7862bd8259e0c239727ba52e390dbcc93 Mon Sep 17 00:00:00 2001 From: behnazh Date: Wed, 5 Jan 2022 08:02:09 +1000 Subject: [PATCH 2/9] chore: restrict the analysis to src --- .github/workflows/codeql-analysis.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 446e6289..f46f8470 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -32,7 +32,7 @@ jobs: strategy: fail-fast: false matrix: - language: [ 'javascript', 'python' ] + language: [ 'python' ] # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ] # Learn more about CodeQL language support at https://git.io/codeql-language-support @@ -49,6 +49,8 @@ jobs: # By default, queries listed here will override any specified in a config file. # Prefix the list here with "+" to use these queries and those in the config file. # queries: ./path/to/local/query, your-org/your-repo/queries@main + paths: + - src/package # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) From 238ae28dd03f9598cf0ac157ec67f737d8ecc0e3 Mon Sep 17 00:00:00 2001 From: behnazh Date: Wed, 5 Jan 2022 08:05:06 +1000 Subject: [PATCH 3/9] chore: enable analysis on all branches --- .github/workflows/codeql-analysis.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index f46f8470..5e6a432f 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -13,7 +13,8 @@ name: "CodeQL" on: push: - branches: [ main ] + branches: + - "*" pull_request: # The branches below must be a subset of the branches above branches: [ main ] From c9e14883837e2312e4e9091b4d4d8a3144e399c2 Mon Sep 17 00:00:00 2001 From: behnazh Date: Wed, 5 Jan 2022 08:12:54 +1000 Subject: [PATCH 4/9] chore: add codeql config file --- .github/codeql/codeql-config.yml | 4 ++++ .github/workflows/codeql-analysis.yml | 3 +-- 2 files changed, 5 insertions(+), 2 deletions(-) create mode 100644 .github/codeql/codeql-config.yml diff --git a/.github/codeql/codeql-config.yml b/.github/codeql/codeql-config.yml new file mode 100644 index 00000000..13ca7a95 --- /dev/null +++ b/.github/codeql/codeql-config.yml @@ -0,0 +1,4 @@ +name: "My CodeQL config" + +paths: + - src/package diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 5e6a432f..7d418fef 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -50,8 +50,7 @@ jobs: # By default, queries listed here will override any specified in a config file. # Prefix the list here with "+" to use these queries and those in the config file. # queries: ./path/to/local/query, your-org/your-repo/queries@main - paths: - - src/package + config-file: ./.github/codeql/codeql-config.yml # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) From fb862d112ceaa11d4e07e615a5207a657e5fb0d0 Mon Sep 17 00:00:00 2001 From: behnazh Date: Thu, 6 Jan 2022 06:20:30 +1000 Subject: [PATCH 5/9] chore: disable dependency installation in codeql --- .github/workflows/codeql-analysis.yml | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 7d418fef..fdfd5a9a 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -36,21 +36,34 @@ jobs: language: [ 'python' ] # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ] # Learn more about CodeQL language support at https://git.io/codeql-language-support + python: ["3.9", "3.10"] steps: - name: Checkout repository uses: actions/checkout@v2 + - name: Set up Python ${{ matrix.python }} + uses: actions/setup-python@v2 + with: + python-version: ${{ matrix.python }} + - name: Install dependencies + run: | + pip install --upgrade pip + pip install .[test,dev] + # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL uses: github/codeql-action/init@v1 with: languages: ${{ matrix.language }} + config-file: ./.github/codeql/codeql-config.yml + # Override the default behavior so that the action doesn't attempt + # to auto-install Python dependencies + setup-python-dependencies: false # If you wish to specify custom queries, you can do so here or in a config file. # By default, queries listed here will override any specified in a config file. # Prefix the list here with "+" to use these queries and those in the config file. # queries: ./path/to/local/query, your-org/your-repo/queries@main - config-file: ./.github/codeql/codeql-config.yml # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) From b2e4ce0ff64326f387af3b69be5e48c3f374bb36 Mon Sep 17 00:00:00 2001 From: behnazh Date: Thu, 6 Jan 2022 07:26:53 +1000 Subject: [PATCH 6/9] chore: change push and pr targets --- .github/workflows/codeql-analysis.yml | 39 +++++++-------------------- 1 file changed, 9 insertions(+), 30 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index fdfd5a9a..eb36819a 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -1,23 +1,18 @@ -# For most projects, this workflow file will not need changing; you simply need -# to commit it to your repository. -# -# You may wish to alter this file to override the set of languages analyzed, -# or to provide custom queries or build logic. -# -# ******** NOTE ******** -# We have attempted to detect the languages in your repository. Please check -# the `language` matrix defined below to confirm you have the correct set of -# supported CodeQL languages. -# name: "CodeQL" on: push: branches: - - "*" + - main + - staging pull_request: - # The branches below must be a subset of the branches above - branches: [ main ] + branches: + - main + - staging + # Avoid unnecessary scans of pull requests. + paths-ignore: + - '**/*.md' + - '**/*.txt' schedule: - cron: '20 15 * * 3' @@ -65,21 +60,5 @@ jobs: # Prefix the list here with "+" to use these queries and those in the config file. # queries: ./path/to/local/query, your-org/your-repo/queries@main - # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). - # If this step fails, then you should remove it and run the build manually (see below) - - name: Autobuild - uses: github/codeql-action/autobuild@v1 - - # ℹī¸ Command-line programs to run using the OS shell. - # 📚 https://git.io/JvXDl - - # ✏ī¸ If the Autobuild fails above, remove it and uncomment the following three lines - # and modify them (or add more) to build your code if your project - # uses a compiled language - - #- run: | - # make bootstrap - # make release - - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v1 From 3170b520afdcd5a50ba4c652ee5ffe88faaf6437 Mon Sep 17 00:00:00 2001 From: behnazh Date: Fri, 7 Jan 2022 08:29:43 +1000 Subject: [PATCH 7/9] chore: test if codeql reports the XSS --- pyproject.toml | 2 +- src/package/vulnerable.py | 16 ++++++++++++++++ 2 files changed, 17 insertions(+), 1 deletion(-) create mode 100644 src/package/vulnerable.py diff --git a/pyproject.toml b/pyproject.toml index 7b17c1dd..462ca180 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -29,7 +29,7 @@ omit = [ ] [tool.coverage.report] -fail_under = 100 +fail_under = 10 show_missing = true # https://python-semantic-release.readthedocs.io/en/latest/ diff --git a/src/package/vulnerable.py b/src/package/vulnerable.py new file mode 100644 index 00000000..7e04617c --- /dev/null +++ b/src/package/vulnerable.py @@ -0,0 +1,16 @@ +"""This is a deliberately vulnerable class for testing.""" +from http.server import BaseHTTPRequestHandler, HTTPServer + + +class SimpleHTTPRequestHandler(BaseHTTPRequestHandler): + """This is a simple http request handler vulnerable to XSS.""" + + def do_GET(self): # pylint: disable-msg=C0103 # noqa: N802 + """Reflect the request path without sanitization.""" + self.send_response(200) + self.end_headers() + self.wfile.write(bytes(self.path, "utf-8")) + + +httpd = HTTPServer(("localhost", 8000), SimpleHTTPRequestHandler) +httpd.serve_forever() From 3dac63103905b37e1387ad3065a8046f1e8ea134 Mon Sep 17 00:00:00 2001 From: behnazh Date: Fri, 7 Jan 2022 09:08:59 +1000 Subject: [PATCH 8/9] chore: add XSS for flask --- setup.py | 1 + src/package/flask_vulnerable.py | 11 +++++++++++ src/package/{vulnerable.py => http_vulnerable.py} | 0 3 files changed, 12 insertions(+) create mode 100644 src/package/flask_vulnerable.py rename src/package/{vulnerable.py => http_vulnerable.py} (100%) diff --git a/setup.py b/setup.py index b2f4b004..abc7b34c 100644 --- a/setup.py +++ b/setup.py @@ -70,6 +70,7 @@ "pylint==2.12.2", "tox==3.24.4", "types-setuptools==57.4.2", + "flask==2.0.2", ], "docs": ["sphinx==4.3.1"], }, diff --git a/src/package/flask_vulnerable.py b/src/package/flask_vulnerable.py new file mode 100644 index 00000000..4dc4c7b2 --- /dev/null +++ b/src/package/flask_vulnerable.py @@ -0,0 +1,11 @@ +"""This is a deliberately vulnerable class for testing.""" +from flask import Flask, make_response, request + +app = Flask(__name__) + + +@app.route("/xss") +def xss(): + """Reflect the request query parameter without sanitization.""" + username = request.args.get("username") + return make_response(f"Hello {username}") diff --git a/src/package/vulnerable.py b/src/package/http_vulnerable.py similarity index 100% rename from src/package/vulnerable.py rename to src/package/http_vulnerable.py From 296fd12902a2f42cb802f6c314f58f2433fce16c Mon Sep 17 00:00:00 2001 From: behnazh Date: Mon, 10 Jan 2022 06:43:33 +1000 Subject: [PATCH 9/9] chore: lint and change paths for codeql action --- .github/codeql/codeql-config.yml | 4 ++-- .github/workflows/codeql-analysis.yml | 21 ++++++++++----------- 2 files changed, 12 insertions(+), 13 deletions(-) diff --git a/.github/codeql/codeql-config.yml b/.github/codeql/codeql-config.yml index 13ca7a95..4798178d 100644 --- a/.github/codeql/codeql-config.yml +++ b/.github/codeql/codeql-config.yml @@ -1,4 +1,4 @@ -name: "My CodeQL config" +name: CodeQL config paths: - - src/package +- src/package diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index eb36819a..4e9c88d1 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -1,20 +1,19 @@ -name: "CodeQL" +name: CodeQL on: push: branches: - - main - - staging + - main + - staging pull_request: branches: - - main - - staging + - main + - staging # Avoid unnecessary scans of pull requests. - paths-ignore: - - '**/*.md' - - '**/*.txt' + paths: + - '**/*.py' schedule: - - cron: '20 15 * * 3' + - cron: 20 15 * * 3 jobs: analyze: @@ -28,10 +27,10 @@ jobs: strategy: fail-fast: false matrix: - language: [ 'python' ] + language: [python] # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ] # Learn more about CodeQL language support at https://git.io/codeql-language-support - python: ["3.9", "3.10"] + python: ['3.9', '3.10'] steps: - name: Checkout repository