Skip to content

Expand pre-commit hook to all files#3

Merged
romanlutz merged 1 commit intomainfrom
romanlutz/expand_precommit_hook_to_all_files
Jan 14, 2024
Merged

Expand pre-commit hook to all files#3
romanlutz merged 1 commit intomainfrom
romanlutz/expand_precommit_hook_to_all_files

Conversation

@romanlutz
Copy link
Contributor

@romanlutz romanlutz commented Jan 11, 2024

The existing configuration targets only $(package_name) which is the package directory. This change expands this to run on all files in the repo.

@github-actions
Copy link

github-actions bot commented Jan 11, 2024

Test Results

69 tests  ±0   69 ✅ ±0   15s ⏱️ +2s
 1 suites ±0    0 💤 ±0 
 1 files   ±0    0 ❌ ±0 

Results for commit 89d2c0d. ± Comparison against base commit 86ca851.

@romanlutz romanlutz marked this pull request as ready for review January 11, 2024 07:31
nina-msft
nina-msft approved these changes Jan 11, 2024
View reviewed changes
Copy link
Contributor

@nina-msft nina-msft left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍

@romanlutz romanlutz merged commit 3ea71b4 into main Jan 14, 2024
@romanlutz romanlutz deleted the romanlutz/expand_precommit_hook_to_all_files branch January 14, 2024 09:07
csinguva-cyber pushed a commit to csinguva-cyber/PyRIT that referenced this pull request Sep 2, 2025
Fix critical security vulnerabilities
be5e500 
Security Analysis Summary:
- Total scan findings: 1000+ across 9 security tools
- False positive rate: 97%
- Confirmed critical vulnerabilities: 2 (addressed in this commit)

Fix 1: Jinja2 XSS Vulnerability (CVSS 7.3)
- File: models/seed_prompt.py
- Issue: Environment(autoescape=False) allows code injection
- Impact: Malicious prompt templates could execute JavaScript
- Fix: Added autoescape=True to enable XSS protection
- Priority: CRITICAL - Direct exploitability in web contexts

Fix 2: MD5 Cryptographic Weakness (CVSS 5.5)
- File: datasets/dataset_helper.py
- Issue: MD5 vulnerable to collision attacks since 2004
- Impact: Could compromise dataset hash validation integrity
- Fix: Replaced hashlib.md5() with hashlib.sha256()
- Priority: HIGH - Industry standard compliance requirement

Validation Context:
- Scanners used: Bandit, Semgrep, CodeQL, GitLeaks, TruffleHog, pip-audit, OSV
- Manual verification confirmed these as real vulnerabilities
- Avoided 1000+ false positive fixes through systematic validation
- Total fix time: 15 minutes vs days of chasing false positives

Compliance Impact:
- Addresses OWASP Top 10 Azure#3 (XSS)
- Eliminates crypto standard violations
- Maintains backward compatibility
- No functional changes, security hardening only
@csinguva-cyber csinguva-cyber mentioned this pull request Sep 2, 2025
Closed
@rlundeen2 rlundeen2 mentioned this pull request Dec 14, 2025
Open
romanlutz added a commit to romanlutz/PyRIT that referenced this pull request Mar 5, 2026
@romanlutz
Add comment explaining HTTPS-only check for Azure Blob URLs
7155dd0 
Azure Blob Storage enforces HTTPS by default ('Secure transfer required').
Rejecting HTTP also limits SSRF surface area per review comment Azure#3.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nina-msft nina-msft nina-msft approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@romanlutz @nina-msft