Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Removed Provider.UploadURL #82

Merged
merged 6 commits into from
Sep 29, 2021
Merged

Removed Provider.UploadURL #82

merged 6 commits into from
Sep 29, 2021

Conversation

Alexamakans
Copy link
Member

@Alexamakans Alexamakans commented Sep 22, 2021
edited
Loading

Summary

Removed field Provider.UploadURL and all references to it.
Added migration to remove DB column provider.upload_url

Motivation

This field was unused and mostly lead to confusion.

Notes

Tried building wharf-web after the change but it wouldn't pass because MainProvider.uploadUrl from the previous swag definitions was used at src/app/providers/providers.service.ts:L50.

The change of id -> Id from #76 also causes the build to fail because of the auto-generated names for the endpoint functions, so I believe a MAJOR version bump is in order.

--
Closes #56.

@Alexamakans Alexamakans force-pushed the feature/remove-provider-upload-url branch from 369cb1c to e743801 Compare September 22, 2021 08:48
@Alexamakans Alexamakans self-assigned this Sep 22, 2021
@Alexamakans Alexamakans added the enhancement New feature or request label Sep 22, 2021
@Alexamakans Alexamakans added this to In progress in Backlog via automation Sep 22, 2021
@Alexamakans
Copy link
Member Author

Both security alerts are valid I think, related to iver-wharf/wharf-provider-azuredevops#19, but for database queries.

They are validated to be fully qualified URLs in the provider repos, but since this validation happens outside of the wharf-api repo there is nothing stopping anybody from crafting their own request.

@Alexamakans Alexamakans marked this pull request as ready for review September 22, 2021 09:04
This was referenced Sep 23, 2021
Merged
Closed
Merged
Closed
@applejag
Copy link
Contributor

Both security alerts are valid I think, related to iver-wharf/wharf-provider-azuredevops#19, but for database queries.

They are validated to be fully qualified URLs in the provider repos, but since this validation happens outside of the wharf-api repo there is nothing stopping anybody from crafting their own request.

The security alerts are about SQL injections. GORM does not have any known SQL injection issues, as it escapes all values for us. From the "Recommendation" section of the alert:

/.../ Use these features rather than building queries by string concatenation.

https://github.com/iver-wharf/wharf-api/security/code-scanning/33?query=ref%3Arefs%2Fpull%2F82%2Fmerge+ref%3Arefs%2Fpull%2F82%2Fhead+ref%3Arefs%2Fheads%2Ffeature%2Fremove-provider-upload-url

We're not concatenating any strings... Those with Rule ID go/sql-injection are false-positives

Backlog automation moved this from In progress to Reviewer approved Sep 29, 2021
@Alexamakans Alexamakans merged commit ea6c990 into master Sep 29, 2021
Backlog automation moved this from Reviewer approved to Done Sep 29, 2021
@Alexamakans Alexamakans deleted the feature/remove-provider-upload-url branch September 29, 2021 11:06
@applejag applejag mentioned this pull request Sep 29, 2021
Merged
@applejag applejag mentioned this pull request Jan 13, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@applejag applejag applejag approved these changes

@fredx30 fredx30 fredx30 approved these changes

Assignees

@Alexamakans Alexamakans

Labels
enhancement New feature or request
Projects
No open projects
Backlog
Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Remove Provider.UploadURL
3 participants
@Alexamakans @applejag @fredx30