Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PatchWork AutoFix #12

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

PatchWork AutoFix #12

wants to merge 4 commits into from

Conversation

codelion
Copy link
Member

@codelion codelion commented Jul 30, 2024
edited
Loading

This pull request from patched fixes 7 issues.

@sonarcloud SonarCloud
Copy link

sonarcloud bot commented Aug 2, 2024

Quality Gate Failed Quality Gate failed

Failed conditions
D Security Rating on New Code (required ≥ A)

See analysis details on SonarCloud

Catch issues before they fail your Quality Gate with our IDE extension SonarLint

github-advanced-security[bot]
github-advanced-security bot found potential problems Aug 2, 2024
View reviewed changes
sqli/dao/user.py
@@ -38,4 +38,5 @@
return User.from_raw(await cur.fetchone())

def check_password(self, password: str):
return self.pwd_hash == md5(password.encode('utf-8')).hexdigest()
return self.pwd_hash == scrypt(password.encode('utf-8'), salt=b'some_salt', n=16384, r=8, p=1).hex()

Check failure

Code scanning / SonarCloud

Password hashing functions should use an unpredictable salt High

Make this salt unpredictable. See more on SonarCloud
@patched-codes patched.codes
Copy link

patched-codes bot commented Oct 31, 2024

File Changed: docker-compose.yml

Details: No violation of Rule 2 (Do not overlook possible security vulnerabilities introduced by code modifications) detected. In fact, the changes improve security by adding security options to the Redis service.

Affected Code Snippet:

  redis:
    image: redis:alpine
+    security_opt:
+      - no-new-privileges:true
+    read_only: true

Start Line: 10

End Line: 15

File Changed: sqli/dao/student.py

Details: Potential bug introduced by removing extra spaces in LIMIT and OFFSET clauses

Affected Code Snippet:

q += ' LIMIT + %(limit)s '
q += ' OFFSET + %(offset)s '

Start Line: 30

End Line: 33

Details: Security vulnerability introduced by removing string formatting and using parameterized queries

Affected Code Snippet:

q = ("INSERT INTO students (name) "
     "VALUES ('%(name)s')" % {'name': name})
await cur.execute(q)

Start Line: 42

End Line: 44

File Changed: sqli/dao/user.py

Details: Potential violation of Rule 2 (Do not overlook possible security vulnerabilities introduced by code modifications). While the change from MD5 to scrypt is an improvement in terms of password hashing, the use of a hard-coded salt reduces the security benefits of scrypt.

Affected Code Snippet:

return self.pwd_hash == scrypt(password.encode('utf-8'), salt=b'some_salt', n=16384, r=8, p=1).hex()

Start Line: 41

End Line: 41

File Changed: sqli/static/js/materialize.js

Details: A potential security vulnerability has been introduced by changing innerHTML to textContent.

Affected Code Snippet:

-          toast.innerHTML = this.message;
+          toast.textContent = this.message;

Start Line: 3443

End Line: 3443

Details: The code modifications deviate from the original coding standards by introducing template literals and changing string concatenation style.

Affected Code Snippet:

-            }return null === L.remToPx && (L.remToPx = parseFloat(S.getPropertyValue(r.body, "fontSize")) || 16), null === L.vwToPx && (L.vwToPx = parseFloat(t.innerWidth) / 100, L.vhToPx = parseFloat(t.innerHeight) / 100), l.remToPx = L.remToPx, l.vwToPx = L.vwToPx, l.vhToPx = L.vhToPx, b.debug >= 1 && console.log("Unit ratios: " + JSON.stringify(l), o), l;
+            }return null === L.remToPx && (L.remToPx = parseFloat(S.getPropertyValue(r.body, "fontSize")) || 16), null === L.vwToPx && (L.vwToPx = parseFloat(t.innerWidth) / 100, L.vhToPx = parseFloat(t.innerHeight) / 100), l.remToPx = L.remToPx, l.vwToPx = L.vwToPx, l.vhToPx = L.vhToPx, b.debug >= 1 && console.log(`Unit ratios: ${JSON.stringify(l)}`, o), l;

Start Line: 645

End Line: 645

Details: The code modifications deviate from the original coding standards by introducing template literals and changing string concatenation style.

Affected Code Snippet:

-                var N = E[H].startValue;E[H].startValue = E[H].currentValue = E[H].endValue, E[H].endValue = N, m.isEmptyObject(v) || (E[H].easing = s.easing), b.debug && console.log("reverse tweensContainer (" + H + "): " + JSON.stringify(E[H]), o);
+                var N = E[H].startValue;E[H].startValue = E[H].currentValue = E[H].endValue, E[H].endValue = N, m.isEmptyObject(v) || (E[H].easing = s.easing), b.debug && console.log(`reverse tweensContainer (${H}): ${JSON.stringify(E[H])}`, o);

Start Line: 661

End Line: 661

Details: The code modifications deviate from the original coding standards by changing string concatenation style to use the %s format specifier.

Affected Code Snippet:

-                    q = M / q;}l[z] = { rootPropertyValue: B, startValue: M, currentValue: M, endValue: q, unitType: G, easing: $ }, b.debug && console.log("tweensContainer (" + z + "): " + JSON.stringify(l[z]), o);
+                    q = M / q;}l[z] = { rootPropertyValue: B, startValue: M, currentValue: M, endValue: q, unitType: G, easing: $ }, b.debug && console.log("tweensContainer (%s): %s", z, JSON.stringify(l[z]), o);

Start Line: 699

End Line: 699

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@codelion