nomad icon indicating copy to clipboard operation
nomad copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

false positive on semgrep rule for RPC for workload identities

Open tgross opened this issue 2 years ago • 0 comments

We'll need to update the rpc-potentially-unauthenticated rule to account for handling of workload identity-based auth, like we have in Secure Variables (example: https://github.com/hashicorp/nomad/actions/runs/2799623079/jobs/4414032548):

  nomad/secure_variables_endpoint.go 
     semgrep.rpc-potentially-unauthenticated
        RPC method structs.SecureVariablesApplyRPCMethod appears to be unauthenticated

         32┆ if done, err := sv.srv.forward(structs.SecureVariablesApplyRPCMethod, args, args, reply); done {
         33┆ 	return err
         34┆ }

(Opening an issue rather than just fixing it because I might not get a chance to hit this before I'm out next week.)

tgross avatar Aug 05 '22 14:08 tgross