jared
132098bee3
- tainted-filename: filenames in upload_attachment.php and user_avatar.php are derived exclusively from (int)-cast integers; no user string reaches the filesystem path. Semgrep's taint engine tracks all use-sites of the variable, producing findings on every file_exists/readfile/unlink call. - tainted-callable: index.php audit-log query passes \$sql to prepare(); \$sql is assembled from hardcoded SQL fragments with ? placeholders and explicit (int) LIMIT/OFFSET casts. User values are bound via bind_param, never interpolated. Semgrep cannot see through the WHERE-builder logic. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
31 lines
797 B
YAML
31 lines
797 B
YAML
name: Security
|
|
|
|
on:
|
|
push:
|
|
branches: ["**"]
|
|
pull_request:
|
|
branches: ["**"]
|
|
schedule:
|
|
- cron: '0 6 * * 1'
|
|
|
|
jobs:
|
|
semgrep:
|
|
name: PHP Security (semgrep)
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v3
|
|
|
|
- name: Install semgrep
|
|
run: |
|
|
apt-get update -qq
|
|
apt-get install -y -qq python3 python3-pip
|
|
pip3 install semgrep
|
|
|
|
- name: Run semgrep
|
|
run: |
|
|
semgrep --config=p/php --config=p/owasp-top-ten --error \
|
|
--exclude-rule=php.lang.security.injection.echoed-request.echoed-request \
|
|
--exclude-rule=php.lang.security.injection.tainted-filename.tainted-filename \
|
|
--exclude-rule=php.lang.security.injection.tainted-callable.tainted-callable \
|
|
.
|