-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Removed Provider.UploadURL #82
Conversation
369cb1c
to
e743801
Compare
… provider.upload_url
Both security alerts are valid I think, related to iver-wharf/wharf-provider-azuredevops#19, but for database queries. They are validated to be fully qualified URLs in the provider repos, but since this validation happens outside of the wharf-api repo there is nothing stopping anybody from crafting their own request. |
The security alerts are about SQL injections. GORM does not have any known SQL injection issues, as it escapes all values for us. From the "Recommendation" section of the alert:
We're not concatenating any strings... Those with Rule ID |
CHANGELOG.md
file, according to docs:https://iver-wharf.github.io/#/development/changelogs/writing-changelogs
Summary
Removed field
Provider.UploadURL
and all references to it.Added migration to remove DB column
provider.upload_url
Motivation
This field was unused and mostly lead to confusion.
Notes
Tried building wharf-web after the change but it wouldn't pass because
MainProvider.uploadUrl
from the previous swag definitions was used atsrc/app/providers/providers.service.ts:L50
.The change of
id
->Id
from #76 also causes the build to fail because of the auto-generated names for the endpoint functions, so I believe a MAJOR version bump is in order.--
Closes #56.