Skip to content

0.1.0 rc #15

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
rostilos wants to merge 12 commits into from
Closed

0.1.0 rc #15

rostilos wants to merge 12 commits into from

Conversation

@rostilos
Copy link
Owner

@rostilos rostilos commented Dec 24, 2025

No description provided.

@rostilos
feat: add LargeContentFilter to handle large file content and diffs i…
f9c13fc 
…n McpTools. Implement integration tests for webhook-triggered analysis and incremental analysis. Update OAuthCallbackController to streamline redirect URLs. Add TestSecurityConfig for enhanced test security configuration.
@rostilos
feat: add failed_incremental_count to RagIndexStatus for tracking inc…
4057a76 
…remental update failures. Update related services and DTOs to support new functionality. Enhance VCS integration with additional event handling.
@rostilos
Bitbucket APP connect via an actual app ( workspace-based ) instead o…
76701a6 
…f user-based connection.
@rostilos
fix branch analysis patterns ( branch/pr ) saving process
5abe063
@rostilos
refactor: comment out configuration check in BitbucketConnectControll…
8a84e25 
…er's getDescriptor method
@rostilos
fix: update frontend URL in BitbucketConnectController to use port 8080
564e2c3
@rostilos
feat: add frontend URL configuration and implement test security conf…
03d39b3 
…iguration for integration tests
@rostilos
feat: enhance internal API for analysis data retrieval and improve VC…
ec8e192 
…S integration
@rostilos
feat: implement VCS service for Bitbucket and GitHub operations
c420e21
@rostilos
chore: update frontend hash in the repository
b786940
@rostilos
feat: update internal API secret configuration and enhance project de…
3d93cbb 
…letion logic
@rostilos
feat: update Bitbucket Connect App descriptor and enhance webhook han…
06010fe 
…dling; add settings page and secure auth token generation
@codecrow-local
Copy link

codecrow-local bot commented Dec 24, 2025

⚠️ Code Analysis Results

Summary

Internal analysis APIs are exposed without authentication and can be called by anyone knowing a projectId/analysisId, exposing sensitive analysis data.

Issues Overview

Severity Count
🔴 High 1 Critical issues requiring immediate attention

Detailed Issues

🔴 High Severity Issues

Id on Platform: 431

File: .../internal/InternalAnalysisController.java:31

Issue: All endpoints under /api/internal/analysis are exposed via WebSecurityConfig (requestMatchers("/api/internal/**").permitAll()) and the controller only checks projectId/analysisId parameters. An unauthenticated client can enumerate IDs and retrieve any project’s code analysis data, leaking sensitive information.

Suggested Fix:

Require the internal shared secret header (e.g., X-Internal-Secret) on every handler and reject requests when it does not match codecrow.internal.api.secret.

View Issue Details

Files Affected

  • .../internal/InternalAnalysisController.java: 1 issue

Analysis completed on 2025-12-24 17:03:40 | View Full Report | Pull Request

@rostilos rostilos closed this Dec 24, 2025
@coderabbitai coderabbitai bot mentioned this pull request Dec 30, 2025
Closed
@codecrow-local codecrow-local bot mentioned this pull request Jan 28, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@rostilos