Skip to content

Commit 49aabe2

Browse files
committed
fix(serve): mark proven-safe CodeQL sinks
1 parent dbf9b42 commit 49aabe2

2 files changed

Lines changed: 7 additions & 0 deletions

File tree

src/serve/routes.py

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -422,6 +422,8 @@ async def approve_campaign_action(request: Request, packet_id: str, idx: int) ->
422422
except Exception:
423423
action_dict = {"state": "approved"}
424424

425+
# Dynamic values are escaped in _render_action_row before fragment emission.
426+
# codeql[py/reflective-xss]
425427
return HTMLResponse(_render_action_row(packet_id, idx, action_dict))
426428

427429

@@ -456,6 +458,8 @@ async def reject_campaign_action(
456458
except Exception:
457459
action_dict = {"state": "rejected"}
458460

461+
# Dynamic values are escaped in _render_action_row before fragment emission.
462+
# codeql[py/reflective-xss]
459463
return HTMLResponse(_render_action_row(packet_id, idx, action_dict))
460464

461465

src/serve/runner.py

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -68,6 +68,9 @@ def _stream(self) -> None:
6868

6969
def start(self) -> None:
7070
self._proc = subprocess.Popen(
71+
# Command shape is fixed in spawn_run: sys.executable, module name,
72+
# validated GitHub owner, and allowlisted flags; shell remains off.
73+
# codeql[py/command-line-injection]
7174
self.cmd,
7275
stdout=subprocess.PIPE,
7376
stderr=subprocess.STDOUT,

0 commit comments

Comments
 (0)