synced/coder
1
0
Fork 0
mirror of https://github.com/coder/coder.git synced 2025-07-18 14:17:22 +00:00
Code Issues Packages Projects Releases Wiki Activity

chore: fix false positives in CodeQL (#17138)

Browse Source 
Clears up some false positives being surfaced by CodeQL
This commit is contained in:
Jon Ayers
2025-03-27 16:06:58 -05:00
committed by GitHub
parent e1f27a7137
commit eded0ed4b6
3 changed files with 6 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
agent/agentcontainers/containers_dockercli.go
View File

@ -491,21 +491,15 @@ func convertDockerInspect(raw []byte) ([]codersdk.WorkspaceAgentContainer, []str
// "8080" -> 8080, "tcp" // "8080" -> 8080, "tcp"
func convertDockerPort(in string) (uint16, string, error) { func convertDockerPort(in string) (uint16, string, error) {
parts := strings.Split(in, "/") parts := strings.Split(in, "/")
p, err := strconv.ParseUint(parts[0], 10, 16)
if err != nil {
return 0, "", xerrors.Errorf("invalid port format: %s", in)
}
switch len(parts) { switch len(parts) {
case 1: case 1:
// assume it's a TCP port // assume it's a TCP port
p, err := strconv.Atoi(parts[0])
if err != nil {
return 0, "", xerrors.Errorf("invalid port format: %s", in)
}
// #nosec G115 - Safe conversion since Docker TCP ports are limited to uint16 range
return uint16(p), "tcp", nil return uint16(p), "tcp", nil
case 2: case 2:
p, err := strconv.Atoi(parts[0])
if err != nil {
return 0, "", xerrors.Errorf("invalid port format: %s", in)
}
// #nosec G115 - Safe conversion since Docker ports are limited to uint16 range
return uint16(p), parts[1], nil return uint16(p), parts[1], nil
default: default:
return 0, "", xerrors.Errorf("invalid port format: %s", in) return 0, "", xerrors.Errorf("invalid port format: %s", in)

1
agent/ls.go
View File

@ -76,6 +76,7 @@ func listFiles(query LSRequest) (LSResponse, error) {
return LSResponse{}, xerrors.Errorf("failed to get absolute path of %q: %w", fullPathRelative, err) return LSResponse{}, xerrors.Errorf("failed to get absolute path of %q: %w", fullPathRelative, err)
} }
// codeql[go/path-injection] - The intent is to allow the user to navigate to any directory in their workspace.
f, err := os.Open(absolutePathString) f, err := os.Open(absolutePathString)
if err != nil { if err != nil {
return LSResponse{}, xerrors.Errorf("failed to open directory %q: %w", absolutePathString, err) return LSResponse{}, xerrors.Errorf("failed to open directory %q: %w", absolutePathString, err)

1
coderd/userauth.go
View File

@ -1100,6 +1100,7 @@ func (api *API) userOAuth2Github(rw http.ResponseWriter, r *http.Request) {
// We use AuthCodeURL from the OAuth2Config field instead of the one on // We use AuthCodeURL from the OAuth2Config field instead of the one on
// GithubOAuth2Config because when device flow is configured, AuthCodeURL // GithubOAuth2Config because when device flow is configured, AuthCodeURL
// is overridden and returns a value that doesn't pass the URL check. // is overridden and returns a value that doesn't pass the URL check.
// codeql[go/constant-oauth2-state] -- We are solely using the AuthCodeURL from the OAuth2Config field in order to validate the hostname of the external auth provider.
if externalauth.IsGithubDotComURL(api.GithubOAuth2Config.OAuth2Config.AuthCodeURL("")) && user.GithubComUserID.Int64 != ghUser.GetID() { if externalauth.IsGithubDotComURL(api.GithubOAuth2Config.OAuth2Config.AuthCodeURL("")) && user.GithubComUserID.Int64 != ghUser.GetID() {
err = api.Database.UpdateUserGithubComUserID(ctx, database.UpdateUserGithubComUserIDParams{ err = api.Database.UpdateUserGithubComUserID(ctx, database.UpdateUserGithubComUserIDParams{
ID: user.ID, ID: user.ID,