Fix 10 CodeQL security alerts

ako · claude · ako · commit 8f7ad69c2a9c · 2026-03-21T08:29:13.000Z
- Symlink path traversal (alerts #7-10): resolve symlink effective destination and verify it stays within extraction directory, blocking absolute symlinks and relative paths that escape the root - Integer overflow (alerts #4-6): add safeInt32() with clamping to prevent silent overflow on int-to-int32 conversions in settings - Sensitive data logging (alert #3): redact Password/Secret fields before printing exported JSON in example code - Allocation overflow (alert #2): reject unreasonably large inputs in bytesToHex fallback path to prevent len(b)*2 overflow - Workflow permissions (alert #1): add explicit contents:read permission to GitHub Actions workflow Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
diff --git a/.github/workflows/push-test.yml b/.github/workflows/push-test.yml
@@ -2,6 +2,9 @@ name: Build, Test & Lint
 
 on: [push, pull_request]
 
+permissions:
+  contents: read
+
 jobs:
   build-and-test:
     runs-on: ubuntu-latest
diff --git a/cmd/mxcli/docker/download.go b/cmd/mxcli/docker/download.go
@@ -213,6 +213,21 @@ func DownloadRuntime(version string, w io.Writer) (string, error) {
 	return cacheDir, nil
 }
 
+// isSymlinkWithinDir checks that a symlink's effective destination resolves
+// within the allowed directory. Prevents path traversal via absolute symlinks
+// or relative paths that escape the extraction root.
+func isSymlinkWithinDir(linkTarget, symlinkPath, allowedDir string) bool {
+	var resolved string
+	if filepath.IsAbs(linkTarget) {
+		resolved = linkTarget
+	} else {
+		resolved = filepath.Join(filepath.Dir(symlinkPath), linkTarget)
+	}
+	resolved = filepath.Clean(resolved)
+	cleanDir := filepath.Clean(allowedDir) + string(os.PathSeparator)
+	return strings.HasPrefix(resolved, cleanDir) || resolved == filepath.Clean(allowedDir)
+}
+
 // extractTarGzStrip1 extracts a tar.gz stream to the target directory,
 // stripping the first path component (equivalent to tar --strip-components=1).
 func extractTarGzStrip1(r io.Reader, targetDir string) error {
@@ -279,6 +294,10 @@ func extractTarGzStrip1(r io.Reader, targetDir string) error {
 			if strings.Contains(linkTarget, "..") {
 				continue
 			}
+			// Resolve effective destination and verify it stays within targetDir
+			if !isSymlinkWithinDir(linkTarget, target, targetDir) {
+				continue
+			}
 			os.Remove(target)
 			if err := os.MkdirAll(filepath.Dir(target), 0755); err != nil {
 				return fmt.Errorf("creating parent directory for symlink %s: %w", target, err)
@@ -347,6 +366,10 @@ func extractTarGz(r io.Reader, targetDir string) error {
 			if strings.Contains(linkTarget, "..") {
 				continue
 			}
+			// Resolve effective destination and verify it stays within targetDir
+			if !isSymlinkWithinDir(linkTarget, target, targetDir) {
+				continue
+			}
 			os.Remove(target) // Remove existing if any
 			if err := os.MkdirAll(filepath.Dir(target), 0755); err != nil {
 				return fmt.Errorf("creating parent directory for symlink %s: %w", target, err)
diff --git a/examples/read_project/main.go b/examples/read_project/main.go
@@ -10,10 +10,35 @@ import (
 	"encoding/json"
 	"fmt"
 	"os"
+	"strings"
 
 	"github.com/mendixlabs/mxcli"
 )
 
+// redactSensitiveFields recursively walks a JSON map and replaces values
+// for keys containing "Password" or "Secret" with "***".
+func redactSensitiveFields(m map[string]any) {
+	for key, val := range m {
+		lk := strings.ToLower(key)
+		if strings.Contains(lk, "password") || strings.Contains(lk, "secret") {
+			if _, ok := val.(string); ok {
+				m[key] = "***"
+			}
+			continue
+		}
+		switch v := val.(type) {
+		case map[string]any:
+			redactSensitiveFields(v)
+		case []any:
+			for _, item := range v {
+				if nested, ok := item.(map[string]any); ok {
+					redactSensitiveFields(nested)
+				}
+			}
+		}
+	}
+}
+
 func main() {
 	if len(os.Args) < 2 {
 		fmt.Println("Usage: read_project <path-to-mpr-file>")
@@ -239,6 +264,7 @@ func main() {
 		} else {
 			var prettyJSON map[string]any
 			json.Unmarshal(jsonData, &prettyJSON)
+			redactSensitiveFields(prettyJSON)
 			output, _ := json.MarshalIndent(prettyJSON, "", "  ")
 			fmt.Println(string(output))
 		}
diff --git a/mdl/executor/cmd_pages_builder_v3_pluggable.go b/mdl/executor/cmd_pages_builder_v3_pluggable.go
@@ -989,6 +989,9 @@ func hexByte(c byte) byte {
 func bytesToHex(b []byte) string {
 	if len(b) != 16 {
 		// Fallback for non-standard lengths
+		if len(b) > 1024 {
+			return "" // reject unreasonably large inputs
+		}
 		const hexChars = "0123456789abcdef"
 		result := make([]byte, len(b)*2)
 		for i, v := range b {
diff --git a/sdk/mpr/writer_settings.go b/sdk/mpr/writer_settings.go
@@ -4,12 +4,24 @@ package mpr
 
 import (
 	"fmt"
+	"math"
 
 	"github.com/mendixlabs/mxcli/model"
 
 	"go.mongodb.org/mongo-driver/bson"
 )
 
+// safeInt32 converts an int to int32 with clamping to prevent silent overflow.
+func safeInt32(v int) int32 {
+	if v > math.MaxInt32 {
+		return math.MaxInt32
+	}
+	if v < math.MinInt32 {
+		return math.MinInt32
+	}
+	return int32(v)
+}
+
 // UpdateProjectSettings updates the project settings document.
 // The project settings document always exists, so this only needs update, not create/delete.
 func (w *Writer) UpdateProjectSettings(ps *model.ProjectSettings) error {
@@ -77,12 +89,12 @@ func serializeModelSettings(ms *model.ModelSettings, raw map[string]any) map[str
 	raw["HealthCheckMicroflow"] = ms.HealthCheckMicroflow
 	raw["AllowUserMultipleSessions"] = ms.AllowUserMultipleSessions
 	raw["HashAlgorithm"] = ms.HashAlgorithm
-	raw["BcryptCost"] = int32(ms.BcryptCost)
+	raw["BcryptCost"] = safeInt32(ms.BcryptCost)
 	raw["JavaVersion"] = ms.JavaVersion
 	raw["RoundingMode"] = ms.RoundingMode
 	raw["ScheduledEventTimeZoneCode"] = ms.ScheduledEventTimeZoneCode
 	raw["FirstDayOfWeek"] = ms.FirstDayOfWeek
-	raw["DecimalScale"] = int32(ms.DecimalScale)
+	raw["DecimalScale"] = safeInt32(ms.DecimalScale)
 	raw["EnableDataStorageOptimisticLocking"] = ms.EnableDataStorageOptimisticLocking
 	raw["UseDatabaseForeignKeyConstraints"] = ms.UseDatabaseForeignKeyConstraints
 	return raw
@@ -108,10 +120,10 @@ func serializeServerConfiguration(cfg *model.ServerConfiguration) bson.M {
 		"DatabaseUserName":              cfg.DatabaseUserName,
 		"DatabasePassword":              cfg.DatabasePassword,
 		"DatabaseUseIntegratedSecurity": cfg.DatabaseUseIntegratedSecurity,
-		"HttpPortNumber":                int32(cfg.HttpPortNumber),
-		"ServerPortNumber":              int32(cfg.ServerPortNumber),
+		"HttpPortNumber":                safeInt32(cfg.HttpPortNumber),
+		"ServerPortNumber":              safeInt32(cfg.ServerPortNumber),
 		"ApplicationRootUrl":            cfg.ApplicationRootUrl,
-		"MaxJavaHeapSize":               int32(cfg.MaxJavaHeapSize),
+		"MaxJavaHeapSize":               safeInt32(cfg.MaxJavaHeapSize),
 		"ExtraJvmParameters":            cfg.ExtraJvmParameters,
 		"OpenAdminPort":                 cfg.OpenAdminPort,
 		"OpenHttpPort":                  cfg.OpenHttpPort,
@@ -160,7 +172,7 @@ func serializeLanguageSettings(ls *model.LanguageSettings, raw map[string]any) m
 // serializeWorkflowsSettings updates the raw BSON map with modified workflow settings.
 func serializeWorkflowsSettings(ws *model.WorkflowsSettings, raw map[string]any) map[string]any {
 	raw["UserEntity"] = ws.UserEntity
-	raw["DefaultTaskParallelism"] = int32(ws.DefaultTaskParallelism)
-	raw["WorkflowEngineParallelism"] = int32(ws.WorkflowEngineParallelism)
+	raw["DefaultTaskParallelism"] = safeInt32(ws.DefaultTaskParallelism)
+	raw["WorkflowEngineParallelism"] = safeInt32(ws.WorkflowEngineParallelism)
 	return raw
 }
