Skip to content

Fix 86 CodeQL findings across Go, Python, and CI workflows#177

Merged
jeremy merged 6 commits intomainfrom
codeql
Mar 3, 2026
Merged

Fix 86 CodeQL findings across Go, Python, and CI workflows#177
jeremy merged 6 commits intomainfrom
codeql

Conversation

@jeremy
Copy link
Member

@jeremy jeremy commented Mar 3, 2026
edited
Loading

Summary

Resolves all 86 open high-severity CodeQL findings from GitHub code scanning:

  • ~69 go/path-injection: Apply filepath.Clean() at source functions (GlobalConfigDir, defaultCacheDir, defaultStateDir, etc.) where env vars and OS APIs produce tainted values. Uses "fallback first, then clean non-empty" pattern to avoid filepath.Clean("") returning ".".
  • 1 log injection: Strip \n/\r from auth token before printing.
  • 1 command injection: Validate $EDITOR with exec.LookPath() before exec.Command().
  • 2 integer overflow: Guard float64int64 conversion with 2^53 precision bound (largest consecutive-integer range for float64).
  • 7 missing workflow permissions: Add permissions: contents: read to test.yml.
  • 1 unpinned action tag: Pin golangci-lint-action and actions/cache to commit hashes in release.yml.
  • 6 Python py/path-injection: Validate Path.resolve().is_dir() in doc_parity.py.

17 files changed, 153 insertions, 27 deletions across 6 atomic commits.

Test plan

  • make check passes (fmt-check, vet, lint, test, test-e2e, provenance-check, check-naming, check-surface)
  • CodeQL scan on this branch shows 0 remaining findings

Copilot AI review requested due to automatic review settings March 3, 2026 07:34
@github-actions github-actions bot added commands CLI command implementations tui Terminal UI tests Tests (unit and e2e) ci CI/CD workflows output Output formatting and presentation bug Something isn't working labels Mar 3, 2026
github-advanced-security[bot]
github-advanced-security bot found potential problems Mar 3, 2026
View reviewed changes
github-advanced-security[bot]
github-advanced-security bot found potential problems Mar 3, 2026
View reviewed changes
Copilot AI reviewed Mar 3, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR resolves 86 open high-severity CodeQL findings across Go, Python, and CI workflows. Fixes span path injection (applying filepath.Clean() at taint sources), log injection (stripping \n/\r from auth tokens before printing), command injection (validating $EDITOR with exec.LookPath()), integer overflow (guarding float64→int64 with the 2^53 safe-integer bound), missing CI workflow permissions, unpinned action tags, and Python path injection.

Changes:

  • Apply filepath.Clean() to environment-variable-derived paths (XDG dirs, $HOME, $BASECAMP_THEME) across ~10 Go files to satisfy CodeQL go/path-injection rules.
  • Fix command injection (exec.LookPath guard on $EDITOR), log injection (\n/\r strip on token), and integer overflow (math.Trunc + safe-int bounds) in Go code.
  • Harden CI workflows: add permissions: contents: read to test.yml, SHA-pin golangci-lint-action and actions/cache in release.yml, and add is_dir() validation guards in scripts/doc_parity.py.

Reviewed changes

Copilot reviewed 17 out of 17 changed files in this pull request and generated 4 comments.

Show a summary per file
File Description
scripts/doc_parity.py Added is_dir() validation for all user-supplied paths (6 Python path-injection findings)
internal/tui/workspace/workspace.go Apply filepath.Clean(configDir) for keybindings path
internal/tui/workspace/widget/composer.go Add exec.LookPath validation for $EDITOR; apply filepath.Clean(home)
internal/tui/theme.go Apply filepath.Clean to $BASECAMP_THEME and home-derived paths
internal/richtext/mime_test.go New tests for empty-path behaviour in DetectMIME and ValidateFile
internal/richtext/mime.go Guard empty path before filepath.Clean; apply filepath.Clean to non-empty paths
internal/resilience/store.go Apply filepath.Clean to XDG/home-derived cache paths
internal/output/render.go Replace int(v) cast with safe-int-bounded int64(v) using math.Trunc
internal/output/output_test.go Comprehensive boundary tests for float→int formatting
internal/harness/claude.go Apply filepath.Clean(home) for Claude plugin detection paths
internal/config/config.go Apply filepath.Clean to XDG/home-derived config paths
internal/completion/cache.go Apply filepath.Clean to XDG/home-derived cache paths
internal/commands/migrate.go Apply filepath.Clean(home) with proper error guard
internal/commands/doctor.go Apply filepath.Clean(home) with non-empty guard for shell completion checks
internal/commands/auth.go Strip \n/\r from token before fmt.Println (log injection fix)
.github/workflows/test.yml Add permissions: contents: read (7 missing permission findings)
.github/workflows/release.yml SHA-pin golangci-lint-action and actions/cache (1 unpinned action finding)

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@github-actions github-actions bot added bug Something isn't working and removed bug Something isn't working labels Mar 3, 2026
github-advanced-security[bot]
github-advanced-security bot found potential problems Mar 3, 2026
View reviewed changes
Copilot AI review requested due to automatic review settings March 3, 2026 07:52
@github-actions github-actions bot added bug Something isn't working and removed bug Something isn't working labels Mar 3, 2026
github-advanced-security[bot]
github-advanced-security bot found potential problems Mar 3, 2026
View reviewed changes
@github-actions github-actions bot added bug Something isn't working and removed bug Something isn't working labels Mar 3, 2026
Copilot AI reviewed Mar 3, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 17 out of 17 changed files in this pull request and generated 2 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

jeremy added 5 commits March 3, 2026 00:03
@jeremy
Sanitize paths from env vars and OS APIs to fix CodeQL go/path-injection
225a153 
Apply filepath.Clean() at source functions where environment variables
(XDG_CONFIG_HOME, XDG_CACHE_HOME, HOME) and OS APIs (UserHomeDir,
UserCacheDir, UserConfigDir) produce tainted values. This breaks
CodeQL's taint chain for ~69 downstream path-injection findings.

Uses "fallback first, then clean non-empty" pattern to avoid
filepath.Clean("") returning "." which would redirect to CWD.
Falls back to os.TempDir() when home directory is unavailable.
@jeremy
Strip newlines from auth token output to fix CodeQL log-injection
6adf90c
@jeremy
Validate editor path with LookPath to fix CodeQL command-injection
67e5603 
exec.LookPath() is recognized by CodeQL as a sanitizer for the
command-injection finding on $EDITOR-derived exec.Command calls.
@jeremy
Guard float-to-int conversion with 2^53 precision bound to fix CodeQL…
1ce86eb 
… integer-overflow

float64 can only represent consecutive integers exactly up to 2^53.
Check range before casting to int64 to avoid undefined behavior for
large floats. Adds boundary tests for precision edge cases.
@jeremy
Add workflow permissions and pin action tags for CodeQL security find…
26c13cb 
…ings

- Add top-level permissions: contents: read to test.yml (7 findings)
- Pin golangci-lint-action and actions/cache to commit hashes in release.yml
@github-actions github-actions bot added breaking Breaking change and removed bug Something isn't working labels Mar 3, 2026
@github-actions
Copy link

github-actions bot commented Mar 3, 2026

⚠️ Potential breaking changes detected:

  • Change in token output format: replaced newlines and carriage returns in the auth command output. This may break scripts parsing the output if they rely on the original format.

Review carefully before merging. Consider a major version bump.

@github-actions github-actions bot added the bug Something isn't working label Mar 3, 2026
@jeremy jeremy removed the breaking Breaking change label Mar 3, 2026
github-advanced-security[bot]
github-advanced-security bot found potential problems Mar 3, 2026
View reviewed changes
Copilot AI review requested due to automatic review settings March 3, 2026 08:08
@github-actions github-actions bot added bug Something isn't working and removed bug Something isn't working labels Mar 3, 2026
Copilot AI reviewed Mar 3, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 17 out of 17 changed files in this pull request and generated 1 comment.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@github-actions github-actions bot added bug Something isn't working and removed bug Something isn't working labels Mar 3, 2026
@jeremy jeremy merged commit 0257161 into main Mar 3, 2026
21 checks passed
@jeremy jeremy deleted the codeql branch March 3, 2026 08:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

bug Something isn't working ci CI/CD workflows commands CLI command implementations output Output formatting and presentation tests Tests (unit and e2e) tui Terminal UI

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jeremy