[TEST] - Add QA testing workflow #266
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
* updated path traversal, shell injection, SQL injection, and SSRF checks to utilize TrimInvisible for input sanitization * Update * Update * Add test --------- Co-authored-by: root <[email protected]>
* implement URL normalization function and enhance SSRF detection * add error checking in URL parsing * refactor * add default ports for HTTP and HTTPS schemes * update test * adding user info removal and improving backslash handling in request processing * fix test cases for URL normalization * enhance URL normalization and add test cases for SSRF detection * refactor SSRF test * update * update * add comment to clarify URL parsing error handling * test --------- Co-authored-by: root <[email protected]>
![aikido-pr-checks[bot]](https://avatars.githubusercontent.com/in/898896?s=60&v=4){kind=small}
| } | ||
|
|
||
| func isTrimRune(r rune) bool { | ||
| // 1) All Unicxde whitespace |
There was a problem hiding this comment.
Comment contains typo 'Unicxde' instead of 'Unicode' which makes documentation incorrect. More info
| } | ||
| // If the port is not present, we need to add it based on the scheme | ||
| if parsedURL.Port() == "" { | ||
| port := 0 |
There was a problem hiding this comment.
Default port logic sets port to 0 for non-http/https schemes, resulting in invalid URLs like 'example.com:0'. More info
PopoviciMarian
changed the title
| func removeCTLByte(urlStr string) string { | ||
| for i := 0; i < len(urlStr); i++ { | ||
| if urlStr[i] <= ' ' || urlStr[i] == 0x7f { | ||
| urlStr = urlStr[:i] + urlStr[i+1:] |
There was a problem hiding this comment.
Function parameter urlStr is reassigned, making it harder to track the original input value. More info
| return false | ||
| } | ||
| // if hostname contains : we need to add the [ and ] to the hostname (ipv6) | ||
| if strings.Contains(hostname, ":") { |
There was a problem hiding this comment.
Parameter 'hostname' is reassigned, making original value unclear. More info
|
|
||
| userInput = helpers.ExtractResourceOrOriginal(userInput) | ||
| variants := []string{userInput, "http://" + userInput, "https://" + userInput} | ||
| userInput = helpers.NormalizeRawUrl(userInput) |
There was a problem hiding this comment.
Parameter 'userInput' is reassigned, making original value unclear. More info
Co-authored-by: root <[email protected]>
| } | ||
| } | ||
|
|
||
| // if the response is 302, we need to check CURLINFO_REDIRECT_URL |
There was a problem hiding this comment.
Comment restates obvious code mechanics without explaining why 302 responses need special redirect URL checking. More info
Co-authored-by: root <[email protected]>
| return Context.Callback(C.OUTGOING_REQUEST_RESPONSE_CODE) | ||
| } | ||
|
|
||
| func GetOutgoingRequestRedirectUrl() string { |
There was a problem hiding this comment.
Function name GetOutgoingRequestRedirectUrl suggests it returns a URL but actually returns only the hostname portion. More info
| runs-on: ubuntu-latest | ||
| needs: [ build_deb ] | ||
| steps: | ||
|
|
||
| - name: Checkout zen-demo-php | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| repository: Aikido-demo-apps/zen-demo-php | ||
| path: zen-demo-php | ||
| ref: dev-testing | ||
| submodules: recursive | ||
|
|
||
| - name: Get Arch | ||
| run: echo "ARCH=$(uname -m)" >> $GITHUB_ENV | ||
|
|
||
| - name: Download artifacts | ||
| uses: actions/download-artifact@v4 | ||
| with: | ||
| name: aikido-php-firewall.${{ env.ARCH }}.deb | ||
| path: ./zen-demo-php | ||
|
|
||
| - name: Overwrite aikido.sh install script | ||
| run: | | ||
| echo "dpkg -i -E \"/var/www/html/aikido-php-firewall.\$(uname -i).deb\"" > ./zen-demo-php/.fly/scripts/aikido.sh | ||
| - name: Run Firewall QA Tests | ||
| uses: AikidoSec/firewall-tester-action@releases/v1 | ||
| with: | ||
| dockerfile_path: ./zen-demo-php/Dockerfile | ||
| extra_args: '--env-file=./zen-demo-php/.env.example -e APP_KEY=base64:W2v6u6VR4lURkxuMT9xZ6pdhXSt5rxsmWTbd1HGqlIM=' | ||
| sleep_before_test: 20 | ||
| skip_tests: test_wave_attack,test_rate_limiting_group_id_1_minute | ||
| max_parallel_tests: 7 | ||
| ignore_failures: true |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 1 month ago
To fix this problem, we should explicitly set the permissions for the affected job to the minimal necessary privileges. The most conservative default is contents: read, which allows the job to checkout code and read repository contents, but does not allow write operations. This should be added to the test_php_qa_action job definition, immediately after the runs-on: line (line 451, in context), or optionally also at the workflow root for global enforcement. Since only this job is flagged, we will add:
permissions:
contents: readafter runs-on: ubuntu-latest (line 451).
| @@ -449,6 +449,8 @@ | ||
|
|
||
| test_php_qa_action: | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: read | ||
| needs: [ build_deb ] | ||
| steps: | ||
|
|
| return "" | ||
| } | ||
|
|
||
| parts := strings.Split(value, ",") |
There was a problem hiding this comment.
Function has 6+ levels of nested control flow that could be simplified with early returns or helper functions. More info
PopoviciMarian
force-pushed
the
add-qa-tester-action
branch
from
a2eaf75 to
8e339ff
Compare
* Add GetMethod function to Server class for handling HTTP method overrides - Implemented GetMethod to retrieve the request method, supporting X-HTTP-METHOD-OVERRIDE and _method query parameter for frameworks like Symfony and Laravel. - Added utility function ToUppercase for string manipulation. - Updated GoContextCallback to use the new GetMethod function. * test * Add getMethodFromQuery function to Server class * Refactor getMethodFromQuery to improve query method retrieval * Refactor Symfony request class check in Server.cpp * update * fix * fix --------- Co-authored-by: root <[email protected]>
| // Return the method from the query param _method (_GET["_method"]) | ||
| std::string Server::GetMethodFromQuery() { | ||
| zval *get_array; | ||
| get_array = zend_hash_str_find(&EG(symbol_table), "_GET", sizeof("_GET") - 1); |
There was a problem hiding this comment.
Pointer get_array is dereferenced without null check after zend_hash_str_find call. More info
| std::string Server::GetMethod() { | ||
| std::string method = ToUppercase(this->GetVar("REQUEST_METHOD")); | ||
|
|
||
| // TODO: Add a check here to see if the request is from Symfony or Laravel |
There was a problem hiding this comment.
TODO comment indicates incomplete work that should be tracked properly or implemented. More info
* Propagate disk logs env (#274) * Propage disk logs * Remove SQL query logging --------- Co-authored-by: Tudor Timcu <[email protected]> Co-authored-by: root <[email protected]>
No description provided.