fix: address CodeQL code scanning alerts#85
Merged
bellini666 merged 1 commit intomasterfrom Feb 14, 2026
Merged
Conversation
Contributor
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.Scanned FilesNone |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #85 +/- ##
==========================================
+ Coverage 54.91% 55.04% +0.13%
==========================================
Files 26 26
Lines 2992 3001 +9
==========================================
+ Hits 1643 1652 +9
Misses 1349 1349 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
There was a problem hiding this comment.
Pull request overview
This PR addresses CodeQL code scanning alerts by implementing security hardening measures and following the principle of least privilege in CI workflows.
Changes:
- Added explicit
permissions: contents: readto the CI workflow to follow the principle of least privilege - Implemented path traversal validation in
resolve_entry_point_module_to_pathto prevent directory escape attacks - Updated existing tests to accommodate the new canonicalized path return values
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| .github/workflows/ci.yml | Added explicit read-only permissions declaration following security best practices |
| src/fixtures/scanner.rs | Added path traversal protection (rejects .., null bytes, empty segments) and canonicalization checks to ensure resolved paths stay within base directory; updated test assertions to expect canonicalized paths |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Add explicit `permissions: contents: read` to CI workflow for least privilege. Add path traversal validation in resolve_entry_point_module_to_path to reject `..`, null bytes, and paths escaping site-packages. Remaining false-positive alerts dismissed via GitHub API.
1bdb7e3 to
ce317b8
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
permissions: contents: readto CI workflow (principle of least privilege)resolve_entry_point_module_to_path— rejects.., null bytes, empty segments, and verifies resolved paths stay within the base directory via canonicalizationrust/path-injectionalerts via GitHub API (local LSP with trusted inputs: CLI args, editor workspace roots, test code)Test plan
cargo clippy --all-targets --all-features -- -D warningspassescargo testpasses (all 54 unit + 50 integration + 1 doc test)