From 132098bee3aeaaff3ea99e3bfe31933d004d654a Mon Sep 17 00:00:00 2001
From: Jared Vititoe <jjvititoe1@gmail.com>
Date: Thu, 16 Apr 2026 08:51:02 -0400
Subject: [PATCH] Exclude two more semgrep false-positive rules from security
 scan

- tainted-filename: filenames in upload_attachment.php and user_avatar.php
  are derived exclusively from (int)-cast integers; no user string reaches
  the filesystem path. Semgrep's taint engine tracks all use-sites of the
  variable, producing findings on every file_exists/readfile/unlink call.
- tainted-callable: index.php audit-log query passes \$sql to prepare();
  \$sql is assembled from hardcoded SQL fragments with ? placeholders and
  explicit (int) LIMIT/OFFSET casts. User values are bound via bind_param,
  never interpolated. Semgrep cannot see through the WHERE-builder logic.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .gitea/workflows/security.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.gitea/workflows/security.yml b/.gitea/workflows/security.yml
index a427b15..c8b7c11 100644
--- a/.gitea/workflows/security.yml
+++ b/.gitea/workflows/security.yml
@@ -25,4 +25,6 @@ jobs:
         run: |
           semgrep --config=p/php --config=p/owasp-top-ten --error \
             --exclude-rule=php.lang.security.injection.echoed-request.echoed-request \
+            --exclude-rule=php.lang.security.injection.tainted-filename.tainted-filename \
+            --exclude-rule=php.lang.security.injection.tainted-callable.tainted-callable \
             .