Skip to content

Address some CodeQL security concerns #35572

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Oct 3, 2025
Merged

Address some CodeQL security concerns #35572

merged 4 commits into from
Oct 3, 2025
+118 −78

Conversation

wxiaoguang
Copy link
Contributor

Although there is no real security problem

@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Oct 3, 2025
@github-actions github-actions bot added modifies/go Pull requests that update Go code modifies/frontend labels Oct 3, 2025
silverwind
silverwind reviewed Oct 3, 2025
View reviewed changes
silverwind
silverwind reviewed Oct 3, 2025
View reviewed changes
@GiteaBot GiteaBot added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels Oct 3, 2025
@github-actions github-actions bot added modifies/api This PR adds API routes or modifies them modifies/cli PR changes something on the CLI, i.e. gitea doctor or gitea admin labels Oct 3, 2025
@GiteaBot GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Oct 3, 2025
@wxiaoguang wxiaoguang merged commit 71360a9 into go-gitea:main Oct 3, 2025
26 checks passed
@GiteaBot GiteaBot added this to the 1.26.0 milestone Oct 3, 2025
@wxiaoguang wxiaoguang deleted the fix-codeql branch October 3, 2025 17:21
@wxiaoguang wxiaoguang added the skip-changelog This PR is irrelevant for the (next) changelog, for example bug fixes for unreleased features. label Oct 3, 2025
wxiaoguang
wxiaoguang commented Oct 3, 2025
View reviewed changes
cmd/admin_user_create.go
if err != nil {
return err
}
// codeql[disable-next-line=go/clear-text-logging]
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's a shame that CodeQL doesn't support such inline-disabling. I was cheated by AI.

CodeQL is missing an inline mechanism to suppress warnings #11427

Copy link
Member

@silverwind silverwind Oct 4, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Never blindly trust AI, always verify 😆

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yup, I never blindly trust AI. But at the moment I don't have a way to test the CodeQL related changes locally. So after the merge, I checked the result immediately .....

If anyone knows to how to test CodeQL locally, please suggest. 🙏

rossigee pushed a commit to rossigee/gitea that referenced this pull request Oct 4, 2025
@wxiaoguang @rossigee
Address some CodeQL security concerns (go-gitea#35572)
2cab06f 
Although there is no real security problem
rossigee pushed a commit to rossigee/gitea that referenced this pull request Oct 4, 2025
@wxiaoguang @rossigee
Address some CodeQL security concerns (go-gitea#35572)
b04f209 
Although there is no real security problem
zjjhot added a commit to zjjhot/gitea that referenced this pull request Oct 5, 2025
@zjjhot
Merge remote-tracking branch 'giteaofficial/main'
06198a4 
* giteaofficial/main:
  fix: auto-expand and auto-scroll for actions logs (go-gitea#35570) (go-gitea#35583)
  [skip ci] Updated translations via Crowdin
  [skip ci] Updated translations via Crowdin
  Fix creating pull request failure when the target branch name is the same as some tag (go-gitea#35552)
  Use bundled version of spectral (go-gitea#35573)
  Add rebase push display wrong comments bug (go-gitea#35560)
  Address some CodeQL security concerns (go-gitea#35572)
  fix(webhook): prevent tag events from bypassing branch filters targets go-gitea#35449 (go-gitea#35567)
  Added button to copy file name in PR files (go-gitea#35509)
  Update JS and PY deps (go-gitea#35565)
  Enable a few more tsconfig options (go-gitea#35553)
  Bump github.com/wneessen/go-mail from 0.6.2 to 0.7.1 (go-gitea#35557)
  add more routes to the "expensive" list (go-gitea#35547)
  Drop json-iterator dependency (go-gitea#35544)
  Add proper error message if session provider can not be created (go-gitea#35520)
  use experimental go json v2 library (go-gitea#35392)
  Use global lock instead of status pool for cron lock (go-gitea#35507)
  Move some functions to gitrepo package (go-gitea#35503)
  Move GetDiverging functions to gitrepo (go-gitea#35524)
  [skip ci] Updated translations via Crowdin
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@silverwind silverwind silverwind approved these changes

@lunny lunny lunny approved these changes

Assignees
No one assigned
Labels
lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. modifies/api This PR adds API routes or modifies them modifies/cli PR changes something on the CLI, i.e. gitea doctor or gitea admin modifies/frontend modifies/go Pull requests that update Go code skip-changelog This PR is irrelevant for the (next) changelog, for example bug fixes for unreleased features.
Projects
None yet
Milestone
1.26.0
Development

Successfully merging this pull request may close these issues.
4 participants
@wxiaoguang @lunny @silverwind @GiteaBot