Skip to content

Fix CodeQL security findings and exclude third-party code#184

Merged
mniedermaier merged 1 commit into
mainfrom
fix/codeql-findings
Mar 26, 2026
Merged

Fix CodeQL security findings and exclude third-party code#184
mniedermaier merged 1 commit into
mainfrom
fix/codeql-findings

Conversation

@mniedermaier
Copy link
Copy Markdown
Owner

@mniedermaier mniedermaier commented Mar 26, 2026

Summary

  • Fix 36 CodeQL alerts in our own code (stack trace exposure, path injection, ReDoS, clear text logging)
  • Exclude OpenPLC_v3 third-party code from CodeQL scanning (32 alerts in upstream code)
  • Document 2 intentional findings (webshell command exec, MITM bind-all-interfaces)

Changes

Fix Alerts Files
Stack trace exposure → generic error messages 31 app.py, network_routes.py, cybicsagent/app.py
Path injection → safe_join + path validation 2 app.py
Polynomial ReDoS → bounded regex 1 cybicsagent/app.py
Clear text password logging → masked output 2 test_opcua_auth.py
Exclude OpenPLC_v3 from scanning 32 codeql-config.yml
Intentional: documented with comments 2 app.py, mitm.py
Total 70

Test plan

  • Verify landing page still works (error responses now show generic messages)
  • Verify training content file serving still works (path validation added)
  • Verify CodeQL workflow runs with new config and OpenPLC alerts are excluded
  • Verify cybicsagent chat functionality not affected by regex change

🤖 Generated with Claude Code

@claude
Fix CodeQL security findings and exclude third-party code
760784d 
- Fix 31 stack trace exposure alerts: replace str(e) with generic
  error messages in landing app, network routes, and cybicsagent
- Fix 2 path injection alerts: add safe_join and path validation
  for training content file serving routes
- Fix 1 polynomial ReDoS: bound regex repetition in cybicsagent
- Fix 2 clear text password logging alerts in OPC-UA tests
- Exclude OpenPLC_v3 third-party code from CodeQL analysis via
  codeql-config.yml (32 alerts in upstream code we don't maintain)
- Document 2 intentional findings: webshell command execution and
  MITM proxy bind-all-interfaces

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
github-advanced-security[bot]
github-advanced-security AI found potential problems Mar 26, 2026
View reviewed changes
Comment thread software/landing/app.py Dismissed
Comment thread tests/test_opcua_auth.py Dismissed
Comment thread training/mitm/mitm.py Dismissed
@mniedermaier mniedermaier merged commit 4343a6d into main Mar 26, 2026
12 checks passed
@mniedermaier mniedermaier deleted the fix/codeql-findings branch March 26, 2026 20:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mniedermaier @github-advanced-security