Commit Graph

2 Commits

Author SHA1 Message Date
jmiller 2f119fbd95 fix(security): code scanner panics at startup on RE2-incompatible regexp
PR RC Release / Build RC Release (pull_request) Successful in 3s
Universal: PR Check / Branch Policy (pull_request) Successful in 2s
Universal: PR Check / Validate PR (pull_request) Successful in 16s
RC Revert / Rename rc/ back to dev/ (pull_request) Has been skipped
Branch Cleanup / Delete merged branch (pull_request) Successful in 2s
Generic: Project CI / Lint & Validate (pull_request) Successful in 44s
Universal: Pre-Release / Build Pre-Release (${{ inputs.stability || github.ref_name }}) (push) Successful in 1m29s
Universal: PR Check / Secret Scan (pull_request) Successful in 3m49s
Generic: Project CI / Tests (pull_request) Has been cancelled
Universal: PR Check / Build RC Package (pull_request) Has been cancelled
Universal: PR Check / Report Issues (pull_request) Has been cancelled
The "deserialize-yaml-py" rule in services/security/code_scanner.go used a
negative lookahead `(?!\s*#)` in regexp.MustCompile. Go's regexp engine is
RE2, which has no lookahead/lookbehind, so MustCompile panics during the
package init() — crash-looping the entire server at startup. `go build` and
`go vet` do not execute init(), and CI never boots the binary, so this
shipped to main via #552 undetected; the running instances survived only
because they predate that image.

Replace the pattern with an RE2-safe equivalent `(?i)yaml\.load\s*\(`, which
matches the rule's stated intent (flag yaml.load() without SafeLoader,
CWE-502). Add a regression test that forces the package init and asserts
every DefaultCodeRules pattern compiled, so a future RE2-incompatible
pattern fails in CI here instead of on a live deploy.

Claude-Session: https://claude.ai/code/session_01Wsno14cxE49MstXFs9G5KT
2026-07-05 15:06:57 -05:00
jmiller 7c75133ef1 feat: code security scanner with OWASP pattern detection (#552)
Universal: Auto Version Bump / Version Bump (push) Successful in 13s
Universal: PR Check / Branch Policy (pull_request) Successful in 1s
PR RC Release / Build RC Release (pull_request) Successful in 2s
Universal: PR Check / Validate PR (pull_request) Successful in 12s
Generic: Project CI / Lint & Validate (pull_request) Successful in 37s
Universal: PR Check / Secret Scan (pull_request) Successful in 1m20s
Generic: Project CI / Tests (pull_request) Has been cancelled
Universal: PR Check / Build RC Package (pull_request) Has been cancelled
Universal: PR Check / Report Issues (pull_request) Has been cancelled
Implements the code analysis scanner module that detects insecure
patterns across Go, PHP, Python, JavaScript, and TypeScript:

- SQL injection (CWE-89): string concat in queries across 4 languages
- XSS (CWE-79): innerHTML, document.write, unescaped output, dangerouslySetInnerHTML
- Command injection (CWE-78): exec with variables, shell=True, os.system
- Path traversal (CWE-22): unsanitized path joins, file open with user input
- Insecure deserialization (CWE-502): unserialize(), yaml.load()
- Hardcoded credentials (CWE-798): password assignments in source
- Weak cryptography (CWE-327): MD5/SHA-1 usage

22 rules total, language-filtered by file extension. Wired into the
existing scanner orchestrator via the CodeScanner config toggle.
API updated to expose code_scanner in GET/PATCH security config.

Claude-Session: https://claude.ai/code/session_011AAFzotGMf3ayvXhEmStCd
2026-06-28 08:15:34 -05:00