BLT icon indicating copy to clipboard operation
BLT copied to clipboard
verified publisher icon OWASP-BLT

Fix code scanning alert

Open DonnieBLT opened this issue 10 months ago • 2 comments

Tracking issue for:

  • [ ] https://github.com/OWASP-BLT/BLT/security/code-scanning/190

DonnieBLT avatar Feb 21 '25 01:02 DonnieBLT

@coderabbit code

igennova avatar Mar 15 '25 09:03 igennova

[!TIP] For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Get basic information about the repository
echo "Repository Information:"
git remote -v
echo ""

# Check the README file for project information
echo "Project Information from README:"
if [ -f README.md ]; then
    head -n 20 README.md
else
    echo "README.md not found"
    find . -name "README*" | head -n 5
fi
echo ""

# Get information about the issue
echo "Checking for issue information in commit messages or PR description:"
git log --grep="#3680" --oneline
echo ""

# Look for code scanning workflow files to understand what kind of scanning is being performed
echo "Code scanning workflow files:"
find .github -name "*.yml" | grep -i scan
echo ""

# Check for security-related configuration files
echo "Security-related configuration files:"
find . -name "*.yml" | grep -i security
find . -name "*.json" | grep -i security
echo ""

# Search for recent commits that might be related to fixing security issues
echo "Recent commits that might be related to security fixes:"
git log --grep="security\|vuln\|alert\|fix" -n 5 --oneline

Length of output: 2091

🏁 Script executed:

#!/bin/bash
# Get more specific information about the issue
echo "Checking GitHub issue 3680 using GitHub CLI:"
gh issue view 3680 || echo "Couldn't fetch issue - may need permissions or GH CLI setup"
echo ""

# Try to find information about the code scanning alert
echo "Searching for information about the code scanning alert:"
gh api repos/OWASP-BLT/BLT/code-scanning/alerts/190 || echo "Couldn't fetch code scanning alert - may need permissions"
echo ""

# Check if there's any information in the codebase about this alert
echo "Checking the codebase for clues about this security issue:"
find . -type f -name "*.py" | xargs grep -l "security" 2>/dev/null | head -n 10
echo ""

# Look for common security patterns/issues in the Python code
echo "Checking for common Python security patterns:"
grep -r "eval(" --include="*.py" . 2>/dev/null | head -n 10
grep -r "exec(" --include="*.py" . 2>/dev/null | head -n 10
grep -r "os.system(" --include="*.py" . 2>/dev/null | head -n 10
grep -r "subprocess" --include="*.py" . 2>/dev/null | head -n 10
grep -r "open(" --include="*.py" . 2>/dev/null | head -n 10
echo ""

# Check for any Django-specific security issues
echo "Checking for Django-specific security patterns:"
grep -r "CSRF" --include="*.py" . 2>/dev/null | head -n 10
grep -r "XSS" --include="*.py" . 2>/dev/null | head -n 10
grep -r "SQL Injection" --include="*.py" . 2>/dev/null | head -n 10
grep -r "render_to_response" --include="*.py" . 2>/dev/null | head -n 10
echo ""

# Check for recent changes that might be related to security
echo "Recent file changes that might be security-related:"
git log --stat -n 5 | grep -i "\.py"

Length of output: 3977

🏁 Script executed:

#!/bin/bash
# Let's first look for Python files containing eval as that's a common security concern
echo "Checking for eval() usage in Python files:"
grep -r "eval(" --include="*.py" . | head -n 20
echo ""

# Let's look at the website/views/core.py file since it uses subprocess
echo "Examining core.py which uses subprocess:"
cat website/views/core.py | grep -A 10 -B 10 "subprocess"
echo ""

# Let's check for any GitHub CodeQL config files
echo "Looking for CodeQL configuration:"
find . -name "codeql*" -o -name "*.qls" -o -name "*.ql"
find .github -type f -name "*.yml" | xargs grep -l "codeql" 2>/dev/null
echo ""

# Get more context on any suspicious code
echo "Looking for potentially unsafe code patterns:"
grep -r "request.GET\|request.POST" --include="*.py" . | grep -i "eval\|exec\|subprocess\|system" 2>/dev/null
grep -r "mark_safe" --include="*.py" . | head -n 10
echo ""

# Check if there's any recent activity/PR related to this issue 
echo "Recent commits that might be related to the issue:"
git log --since="2 months ago" --grep="#3680\|#190\|code.scanning\|security" --oneline
echo ""

# Let's check the most recent security alerts or issues
echo "Recent security-related issues:"
gh issue list --label security --state open || echo "Couldn't fetch issues - may need permissions"
echo ""

# Let's look at the GitHub Actions workflow files to understand the code scanning
echo "GitHub Actions workflow files:"
find .github/workflows -type f -name "*.yml" | xargs cat

Length of output: 15383

@igennova Based on the repository information and my analysis, I believe the code scanning alert is related to subprocess usage in the codebase. I found the following potential security issue in website/views/core.py:

def get_last_commit_date():
    try:
        return (
            subprocess.check_output(
                ["git", "log", "-1", "--format=%cd"],
                cwd=os.path.dirname(os.path.dirname(__file__)),
            )
            .decode("utf-8")
            .strip()
        )
    except FileNotFoundError:
        return "Not available"

Here's a more secure version of this code that addresses common subprocess security issues:

def get_last_commit_date():
    try:
        # Using subprocess.run instead of check_output
        # Adding timeout to prevent hanging
        # Explicitly setting check=True to raise exceptions on errors
        result = subprocess.run(
            ["git", "log", "-1", "--format=%cd"],
            cwd=os.path.dirname(os.path.dirname(__file__)),
            capture_output=True,
            text=True,
            timeout=10,
            check=True,
        )
        return result.stdout.strip()
    except (subprocess.SubprocessError, FileNotFoundError):
        # Catch all subprocess-related exceptions
        return "Not available"

This improved version:

  1. Uses the more modern subprocess.run() method
  2. Adds a timeout to prevent hanging processes
  3. Uses text=True instead of manual decoding
  4. Catches all subprocess-related exceptions
  5. Explicitly sets check=True to raise exceptions on errors
⛔ Permission issue

There was a permission issue. Please ask the repository administrator to refresh CodeRabbit's permissions at https://github.com/apps/coderabbitai/installations/62667323.

coderabbitai[bot] avatar Mar 15 '25 09:03 coderabbitai[bot]

@DonnieBLT There's no screenshot or any information on this issu. from your old pr it seems this was SSRF in owasp compliance check which was fixed by #4091

gojo-satorou-v7 avatar Apr 05 '25 15:04 gojo-satorou-v7

If it's the same then please close this issue

gojo-satorou-v7 avatar Apr 05 '25 15:04 gojo-satorou-v7