marcel/familienarchiv
1
0
Fork 0
Code Issues 114 Pull Requests 3 Actions Packages Projects Releases Wiki Activity

fix(ci): pin semgrep version, add pip cache, harden rule severity
All checks were successful
CI / Unit & Component Tests (pull_request) Successful in 3m2s
Details
CI / OCR Service Tests (pull_request) Successful in 18s
Details
CI / Backend Unit Tests (pull_request) Successful in 2m55s
Details
CI / fail2ban Regex (pull_request) Successful in 42s
Details
CI / Semgrep Security Scan (pull_request) Successful in 18s
Details
CI / Compose Bucket Idempotency (pull_request) Successful in 59s
Details
CI / Unit & Component Tests (push) Successful in 3m3s
Details
CI / OCR Service Tests (push) Successful in 19s
Details
CI / Backend Unit Tests (push) Successful in 2m56s
Details
CI / fail2ban Regex (push) Successful in 40s
Details
CI / Semgrep Security Scan (push) Successful in 17s
Details
CI / Compose Bucket Idempotency (push) Successful in 59s
Details

Browse Source 
- Pin semgrep to 1.163.0 to prevent silent upgrades breaking the scan
- Add cache: 'pip' to setup-python@v5 for faster CI runs
- Promote all three XXE Semgrep rules from WARNING to ERROR to match
  the --error CI flag intent
- Update SAX/StAX rule messages to reference XxeSafeXmlParser and
  the OWASP XXE prevention cheat sheet
- Remove stale issue reference from regression test comment
- Document XML metacharacter constraint on buildValidOds test helper

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit was merged in pull request #610.
This commit is contained in:
Marcel
2026-05-17 16:18:03 +02:00
parent f15ea031d1
commit 669eaa7c65
3 changed files with 15 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
.gitea/workflows/ci.yml
View File

@@ -289,9 +289,10 @@ jobs:
- uses: actions/setup-python@v5 - uses: actions/setup-python@v5
with: with:
python-version: '3.11' python-version: '3.11'
cache: 'pip'
- name: Install Semgrep - name: Install Semgrep
run: pip install semgrep run: pip install semgrep==1.163.0
- name: Run security rules - name: Run security rules
run: semgrep --config .semgrep/security.yml --error --metrics=off backend/src/ run: semgrep --config .semgrep/security.yml --error --metrics=off backend/src/

15
.semgrep/security.yml
View File

@@ -17,8 +17,9 @@ rules:
message: > message: >
DocumentBuilderFactory without XXE protection (CWE-611). DocumentBuilderFactory without XXE protection (CWE-611).
Call XxeSafeXmlParser.hardenedFactory() instead of DocumentBuilderFactory.newInstance(). Call XxeSafeXmlParser.hardenedFactory() instead of DocumentBuilderFactory.newInstance().
See: https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html
languages: [java] languages: [java]
severity: WARNING severity: ERROR
# SAXParserFactory without XXE hardening. # SAXParserFactory without XXE hardening.
- id: sax-xxe-default - id: sax-xxe-default
@@ -30,9 +31,11 @@ rules:
... ...
message: > message: >
SAXParserFactory without XXE protection (CWE-611). SAXParserFactory without XXE protection (CWE-611).
Apply disallow-doctype-decl and disable external entity features before use. Set disallow-doctype-decl=true, external-general-entities=false, external-parameter-entities=false,
and load-external-dtd=false before use. Follow the pattern in XxeSafeXmlParser.hardenedFactory().
See: https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html
languages: [java] languages: [java]
severity: WARNING severity: ERROR
# XMLInputFactory without XXE hardening (StAX parser). # XMLInputFactory without XXE hardening (StAX parser).
- id: stax-xxe-default - id: stax-xxe-default
@@ -44,6 +47,8 @@ rules:
... ...
message: > message: >
XMLInputFactory without XXE protection (CWE-611). XMLInputFactory without XXE protection (CWE-611).
Set IS_SUPPORTING_EXTERNAL_ENTITIES to false and SUPPORT_DTD to false before use. Set IS_SUPPORTING_EXTERNAL_ENTITIES=false and SUPPORT_DTD=false before use.
Follow the pattern in XxeSafeXmlParser.hardenedFactory().
See: https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html
languages: [java] languages: [java]
severity: WARNING severity: ERROR

5
backend/src/test/java/org/raddatz/familienarchiv/importing/MassImportServiceTest.java
View File

@@ -527,7 +527,7 @@ class MassImportServiceTest {
// ─── readOds — XXE security regression ─────────────────────────────────── // ─── readOds — XXE security regression ───────────────────────────────────
// Security regression — do not remove. Introduced by issue #528. // Security regression — do not remove.
@Test @Test
void readOds_rejects_xxe_doctype_payload(@TempDir Path tempDir) throws Exception { void readOds_rejects_xxe_doctype_payload(@TempDir Path tempDir) throws Exception {
File malicious = buildXxeOds(tempDir, "file:///etc/hostname"); File malicious = buildXxeOds(tempDir, "file:///etc/hostname");
@@ -595,7 +595,8 @@ class MassImportServiceTest {
return writeOdsZip(dir.resolve("malicious.ods"), xml); return writeOdsZip(dir.resolve("malicious.ods"), xml);
} }
/** Creates a minimal valid ODS ZIP containing a content.xml with the given cell value. */ /** Creates a minimal valid ODS ZIP containing a content.xml with the given cell value.
* cellValue must not contain XML metacharacters ({@code < > &}). */
private File buildValidOds(Path dir, String cellValue) throws Exception { private File buildValidOds(Path dir, String cellValue) throws Exception {
String xml = "<?xml version=\"1.0\"?>" String xml = "<?xml version=\"1.0\"?>"
+ "<office:document-content" + "<office:document-content"