fix: resolve 46 CodeQL alerts and 6 Dependabot vulnerabilities#161
Merged
fix: resolve 46 CodeQL alerts and 6 Dependabot vulnerabilities#161
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
There was a problem hiding this comment.
CodeQL found more than 20 potential problems in the proposed changes. Check the Files changed tab for more details.
- Fix SQL injection in recommendation.py using parameterized unnest/ANY - Fix path injection in art.py and main.py with os.path.realpath() containment - Fix incomplete URL sanitization in musicbrainz.py, album.py, mb_to_qobuz.py - Fix weak MD5 usage in qobuz.py, test-ext-api.py, mb_to_qobuz.py (Qobuz API protocol) - Fix bad tag filter regex in charts.py and sample/chart.py - Fix stack trace exposure in lastfm.py - Fix aiodns deprecation in dns_resolver.py (query_dns with pycares result) - Add workflow permissions blocks (contents: read) - Patch Dependabot vulnerabilities (ecdsa, pyasn1, Pygments, cookie) - Add CodeQL advanced setup with config (paths-ignore scripts/, query-filters) - Rewrite README for clarity and .env-based configuration - Expand CONTRIBUTING.md with dev setup instructions - Add docs/scanner.md with CLI reference
darious
force-pushed
the
feature/security-fixes
branch
from
b64a5ee to
9d90a2d
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
CodeQL fixes
permissions: contents: readto all 3 PR workflowsunnest($N)andANY($N)urlparsehostname matching in MusicBrainz/album scannersusedforsecurity=Falseto Qobuz API MD5 calls (required by their protocol)</script\s*>)aiodns query()withquery_dns()plus correctDNSResulthandlingDependabot
🤖 Generated with Claude Code