Skip to content

fix: address CodeQL security alerts#161

Merged
rmanibus merged 1 commit into
mainfrom
fix/codeql-security-alerts
Mar 18, 2026
Merged

fix: address CodeQL security alerts#161
rmanibus merged 1 commit into
mainfrom
fix/codeql-security-alerts

Conversation

@rmanibus
Copy link
Copy Markdown
Contributor

@rmanibus rmanibus commented Mar 18, 2026
edited
Loading

Fixes #162

This PR addresses three CodeQL security alerts with minimal changes:

  1. go/insecure-hostkeycallback: Replaced insecure SFTP host key validation with a secure default that checks the system known_hosts file.
  2. go/allocation-size-overflow: Added a length check in pkg/crypto to prevent potential integer overflows during large buffer allocations.
  3. Acknowledged Insecure E2E: Explicitly marked the E2E test SFTP callback as insecure with //nolint:gosec to satisfy security scanners while maintaining test functionality.

github-advanced-security[bot]
github-advanced-security AI found potential problems Mar 18, 2026
View reviewed changes
Comment thread e2e/sftp.go Fixed
@rmanibus rmanibus mentioned this pull request Mar 18, 2026
Closed
@rmanibus rmanibus force-pushed the fix/codeql-security-alerts branch 4 times, most recently from b5fdff1 to b250c98 Compare March 18, 2026 21:48
github-advanced-security[bot]
github-advanced-security AI found potential problems Mar 18, 2026
View reviewed changes
Comment thread e2e/sftp.go Fixed
@rmanibus rmanibus force-pushed the fix/codeql-security-alerts branch 8 times, most recently from ede9d15 to a4c20d3 Compare March 18, 2026 23:00
@rmanibus rmanibus force-pushed the fix/codeql-security-alerts branch from a4c20d3 to 83b369d Compare March 18, 2026 23:03
@codecov
Copy link
Copy Markdown

codecov Bot commented Mar 18, 2026

Codecov Report

❌ Patch coverage is 76.25000% with 19 lines in your changes missing coverage. Please review.

Files with missing lines Patch % Lines
internal/sftp/sftp.go 53.33% 5 Missing and 2 partials ⚠️
cmd/cloudstic/store.go 50.00% 2 Missing and 2 partials ⚠️
pkg/source/sftp_source.go 78.57% 3 Missing ⚠️
pkg/store/sftp.go 78.57% 3 Missing ⚠️
pkg/crypto/crypto.go 0.00% 1 Missing and 1 partial ⚠️

📢 Thoughts on this report? Let us know!

@rmanibus rmanibus merged commit 498c2a7 into main Mar 18, 2026
11 checks passed
@rmanibus rmanibus deleted the fix/codeql-security-alerts branch March 18, 2026 23:07
@rmanibus rmanibus added this to the v1.14.0 milestone Mar 19, 2026
@rmanibus rmanibus added the chore Maintenance and tooling changes label Mar 19, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

chore Maintenance and tooling changes

Projects

None yet

Milestone

v1.14.0

Development

Successfully merging this pull request may close these issues.

Address CodeQL security alerts: SFTP host key validation and crypto allocation overflow

2 participants

@rmanibus @github-advanced-security