fix(ci): pin semgrep version, add pip cache, harden rule severity
All checks were successful
CI / Unit & Component Tests (pull_request) Successful in 3m2s
CI / OCR Service Tests (pull_request) Successful in 18s
CI / Backend Unit Tests (pull_request) Successful in 2m55s
CI / fail2ban Regex (pull_request) Successful in 42s
CI / Semgrep Security Scan (pull_request) Successful in 18s
CI / Compose Bucket Idempotency (pull_request) Successful in 59s
CI / Unit & Component Tests (push) Successful in 3m3s
CI / OCR Service Tests (push) Successful in 19s
CI / Backend Unit Tests (push) Successful in 2m56s
CI / fail2ban Regex (push) Successful in 40s
CI / Semgrep Security Scan (push) Successful in 17s
CI / Compose Bucket Idempotency (push) Successful in 59s
All checks were successful
CI / Unit & Component Tests (pull_request) Successful in 3m2s
CI / OCR Service Tests (pull_request) Successful in 18s
CI / Backend Unit Tests (pull_request) Successful in 2m55s
CI / fail2ban Regex (pull_request) Successful in 42s
CI / Semgrep Security Scan (pull_request) Successful in 18s
CI / Compose Bucket Idempotency (pull_request) Successful in 59s
CI / Unit & Component Tests (push) Successful in 3m3s
CI / OCR Service Tests (push) Successful in 19s
CI / Backend Unit Tests (push) Successful in 2m56s
CI / fail2ban Regex (push) Successful in 40s
CI / Semgrep Security Scan (push) Successful in 17s
CI / Compose Bucket Idempotency (push) Successful in 59s
- Pin semgrep to 1.163.0 to prevent silent upgrades breaking the scan - Add cache: 'pip' to setup-python@v5 for faster CI runs - Promote all three XXE Semgrep rules from WARNING to ERROR to match the --error CI flag intent - Update SAX/StAX rule messages to reference XxeSafeXmlParser and the OWASP XXE prevention cheat sheet - Remove stale issue reference from regression test comment - Document XML metacharacter constraint on buildValidOds test helper Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit was merged in pull request #610.
This commit is contained in:
Marcel
@@ -527,7 +527,7 @@ class MassImportServiceTest {
|
||||
|
||||
// ─── readOds — XXE security regression ───────────────────────────────────
|
||||
|
||||
// Security regression — do not remove. Introduced by issue #528.
|
||||
// Security regression — do not remove.
|
||||
@Test
|
||||
void readOds_rejects_xxe_doctype_payload(@TempDir Path tempDir) throws Exception {
|
||||
File malicious = buildXxeOds(tempDir, "file:///etc/hostname");
|
||||
@@ -595,7 +595,8 @@ class MassImportServiceTest {
|
||||
return writeOdsZip(dir.resolve("malicious.ods"), xml);
|
||||
}
|
||||
|
||||
/** Creates a minimal valid ODS ZIP containing a content.xml with the given cell value. */
|
||||
/** Creates a minimal valid ODS ZIP containing a content.xml with the given cell value.
|
||||
* cellValue must not contain XML metacharacters ({@code < > &}). */
|
||||
private File buildValidOds(Path dir, String cellValue) throws Exception {
|
||||
String xml = "<?xml version=\"1.0\"?>"
|
||||
+ "<office:document-content"
|
||||
|
||||
Reference in New Issue
Block a user