jared
3a4a13db7b
- index.php: replace SQL string interpolation with concatenation + explicit (int) casts for LIMIT/OFFSET; add nosemgrep for tainted-sql false positive (WHERE clause built from hardcoded fragments with bound params only) - api/upload_attachment.php: add realpath() path-traversal guard after mkdir - api/user_avatar.php: make (int) cast explicit at cache-path construction; add nosemgrep for tainted-filename false positive (integer-only input) - assets/js/ticket.js: add nosemgrep for insertAdjacentHTML — all dynamic content already escaped via lt.escHtml() before insertion - .gitea/workflows/security.yml: exclude echoed-request rule globally — all echo in API context is json_encode() output, not HTML; htmlentities() fix semgrep suggests would corrupt JSON responses Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
29 lines
615 B
YAML
29 lines
615 B
YAML
name: Security
|
|
|
|
on:
|
|
push:
|
|
branches: ["**"]
|
|
pull_request:
|
|
branches: ["**"]
|
|
schedule:
|
|
- cron: '0 6 * * 1'
|
|
|
|
jobs:
|
|
semgrep:
|
|
name: PHP Security (semgrep)
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v3
|
|
|
|
- name: Install semgrep
|
|
run: |
|
|
apt-get update -qq
|
|
apt-get install -y -qq python3 python3-pip
|
|
pip3 install semgrep
|
|
|
|
- name: Run semgrep
|
|
run: |
|
|
semgrep --config=p/php --config=p/owasp-top-ten --error \
|
|
--exclude-rule=php.lang.security.injection.echoed-request.echoed-request \
|
|
.
|