Skip to content

Expand pre-commit hook to all files#3

Merged
romanlutz merged 1 commit intomainfrom
romanlutz/expand_precommit_hook_to_all_files
Jan 14, 2024
Merged

Expand pre-commit hook to all files#3
romanlutz merged 1 commit intomainfrom
romanlutz/expand_precommit_hook_to_all_files

Conversation

@romanlutz
Copy link
Copy Markdown
Contributor

@romanlutz romanlutz commented Jan 11, 2024

The existing configuration targets only $(package_name) which is the package directory. This change expands this to run on all files in the repo.

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Jan 11, 2024

Test Results

69 tests  ±0   69 ✅ ±0   15s ⏱️ +2s
 1 suites ±0    0 💤 ±0 
 1 files   ±0    0 ❌ ±0 

Results for commit 89d2c0d. ± Comparison against base commit 86ca851.

@romanlutz romanlutz marked this pull request as ready for review January 11, 2024 07:31
nina-msft
nina-msft approved these changes Jan 11, 2024
View reviewed changes
Copy link
Copy Markdown
Contributor

@nina-msft nina-msft left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍

@romanlutz romanlutz merged commit 3ea71b4 into main Jan 14, 2024
@romanlutz romanlutz deleted the romanlutz/expand_precommit_hook_to_all_files branch January 14, 2024 09:07
csinguva-cyber pushed a commit to csinguva-cyber/PyRIT that referenced this pull request Sep 2, 2025
Fix critical security vulnerabilities
be5e500 
Security Analysis Summary:
- Total scan findings: 1000+ across 9 security tools
- False positive rate: 97%
- Confirmed critical vulnerabilities: 2 (addressed in this commit)

Fix 1: Jinja2 XSS Vulnerability (CVSS 7.3)
- File: models/seed_prompt.py
- Issue: Environment(autoescape=False) allows code injection
- Impact: Malicious prompt templates could execute JavaScript
- Fix: Added autoescape=True to enable XSS protection
- Priority: CRITICAL - Direct exploitability in web contexts

Fix 2: MD5 Cryptographic Weakness (CVSS 5.5)
- File: datasets/dataset_helper.py
- Issue: MD5 vulnerable to collision attacks since 2004
- Impact: Could compromise dataset hash validation integrity
- Fix: Replaced hashlib.md5() with hashlib.sha256()
- Priority: HIGH - Industry standard compliance requirement

Validation Context:
- Scanners used: Bandit, Semgrep, CodeQL, GitLeaks, TruffleHog, pip-audit, OSV
- Manual verification confirmed these as real vulnerabilities
- Avoided 1000+ false positive fixes through systematic validation
- Total fix time: 15 minutes vs days of chasing false positives

Compliance Impact:
- Addresses OWASP Top 10 microsoft#3 (XSS)
- Eliminates crypto standard violations
- Maintains backward compatibility
- No functional changes, security hardening only
@csinguva-cyber csinguva-cyber mentioned this pull request Sep 2, 2025
Closed
@rlundeen2 rlundeen2 mentioned this pull request Dec 14, 2025
Open
romanlutz referenced this pull request in romanlutz/PyRIT Mar 5, 2026
@romanlutz
Add comment explaining HTTPS-only check for Azure Blob URLs
7155dd0 
Azure Blob Storage enforces HTTPS by default ('Secure transfer required').
Rejecting HTTP also limits SSRF surface area per review comment #3.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
varunj-msft added a commit that referenced this pull request Apr 8, 2026
@varunj-msft
DOC: Delete cookbooks directory and fix cross-references - PR #3 (#1580)
800bc4e
adrian-gavrila pushed a commit to adrian-gavrila/PyRIT that referenced this pull request Apr 24, 2026
review: address PR microsoft#1643 comments microsoft#2-microsoft#8
13b0dac 
Bundled response to the remaining reviewer comments on the Attack History
filter-Combobox migration.

microsoft#2/microsoft#3  memory: switch `attack_class` and `targeted_harm_categories`
       deprecations in `MemoryInterface.get_attack_results` to the
       project-standard `print_deprecation_message(removed_in="0.15.0")`
       helper; drop the now-unused `import warnings`. No direct successor
       exists for `targeted_harm_categories`; point users at
       `labels={"harm_category": [...]}` (labels supports OR-within-key).

microsoft#4     memory/backend: make attack-class matching case-insensitive to
       match converter-class matching. Removed the explicit
       `case_sensitive=True` override (default is False in every backend);
       flipped the regression test to assert lower/upper/mixed casing all
       match. Service + route docs updated.

microsoft#5     frontend: refactor `AttackHistory.fetchAttacks` request-params
       builder from a stack of seven conditional object spreads into a
       precomputed, explicitly-guarded `params` object for readability.

microsoft#6     frontend: rename `attackClasses` field, `attackClassOptions` prop,
       `attack-class-filter` testid (and all mirrors) to `attackType*` so
       they track the server-side `attack_types` query param.

microsoft#7     backend: rewrite FastAPI `Query` descriptions for `attack_types`,
       `converter_types`, and `label` to spell out "May be specified
       multiple times" semantics with concrete `?key=v1&key=v2` examples.

microsoft#8     backend: widen `attack_types` / `converter_types` annotations from
       `Optional[list[str]]` to `Optional[Sequence[str]]` (matches the
       already-`Sequence`-typed inner label values).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nina-msft nina-msft nina-msft approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@romanlutz @nina-msft