chore: resolve open CodeQL security alerts (#13)

msukkari · claude · web-flow · commit 7c6c629f7d00 · 2026-04-20T23:19:17.000-07:00
CodeQL alerts addressed:

- gitindex/clone.go:60 (high, go/clear-text-logging): the clone command
  was logged with its full args, which may include URLs containing basic
  auth credentials. Added a URL-aware redactor that strips userinfo
  before logging. Actual exec args are unchanged.

- api.go:668 (high, go/incorrect-integer-conversion): replaced
  ParseInt(_, 10, 64) + int(id) with strconv.Atoi for the tenantID
  RawConfig value so no truncating int64 -&gt; int conversion occurs.

- cmd/zoekt-sourcegraph-indexserver/sg.go:608 (high,
  go/incorrect-integer-conversion): replaced Atoi + uint32(id) with
  ParseUint(_, 10, 32) so the value is bounded to uint32 at parse time.

- .github/workflows/ci.yml and buf-breaking-check.yml (medium x8,
  actions/missing-workflow-permissions): added top-level
  `permissions: contents: read` to follow least-privilege for
  GITHUB_TOKEN.

- .github/workflows/semgrep.yml (high,
  actions/untrusted-checkout/high): the scan ran on pull_request_target
  while checking out the PR head, giving PR code access to secrets
  (GH_SEMGREP_SAST_TOKEN, security-events:write). Switched the trigger
  to pull_request so the PR head is only ever checked out in an
  untrusted context with no access to write scopes.

Co-authored-by: Claude Opus 4.7 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/buf-breaking-check.yml b/.github/workflows/buf-breaking-check.yml
@@ -4,6 +4,8 @@ on:
       - opened
     paths:
       - '*.proto'
+permissions:
+  contents: read
 jobs:
   validate-protos:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -5,6 +5,8 @@ on:
   pull_request:
   workflow_dispatch:
 name: CI
+permissions:
+  contents: read
 jobs:
   test:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml
@@ -1,9 +1,12 @@
 name: Semgrep - SAST Scan
 
 on:
-  pull_request_target:
+  pull_request:
     types: [ closed, edited, opened, synchronize, ready_for_review ]
 
+permissions:
+  contents: read
+
 jobs:
   semgrep:
     permissions:
@@ -16,9 +19,6 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
-        with:
-          ref: ${{ github.event.pull_request.head.ref }}
-          repository: ${{ github.event.pull_request.head.repo.full_name }}
 
       - name: Checkout semgrep-rules repo
         uses: actions/checkout@v4
diff --git a/api.go b/api.go
@@ -664,8 +664,8 @@ func (r *Repository) UnmarshalJSON(data []byte) error {
 	}
 
 	if v, ok := repo.RawConfig["tenantID"]; ok {
-		id, _ := strconv.ParseInt(v, 10, 64)
-		r.TenantID = int(id)
+		id, _ := strconv.Atoi(v)
+		r.TenantID = id
 	}
 
 	// Sourcegraph indexserver doesn't set repo.Rank, so we set it here. Setting it
diff --git a/cmd/zoekt-sourcegraph-indexserver/sg.go b/cmd/zoekt-sourcegraph-indexserver/sg.go
@@ -603,7 +603,7 @@ func (sf sourcegraphFake) id(name string) uint32 {
 	// allow overriding the ID.
 	idPath := filepath.Join(sf.RootDir, filepath.FromSlash(name), "SG_ID")
 	if b, _ := os.ReadFile(idPath); len(b) > 0 {
-		id, err := strconv.Atoi(strings.TrimSpace(string(b)))
+		id, err := strconv.ParseUint(strings.TrimSpace(string(b)), 10, 32)
 		if err == nil {
 			return uint32(id)
 		}
diff --git a/gitindex/clone.go b/gitindex/clone.go
@@ -18,6 +18,7 @@ import (
 	"bytes"
 	"fmt"
 	"log"
+	"net/url"
 	"os"
 	"os/exec"
 	"path/filepath"
@@ -26,6 +27,28 @@ import (
 	"github.com/go-git/go-git/v5/config"
 )
 
+// redactURLCredentials removes any basic-auth userinfo from a URL-shaped
+// string so that credentials are never written to logs. Non-URL arguments
+// are returned unchanged.
+func redactURLCredentials(s string) string {
+	u, err := url.Parse(s)
+	if err != nil || u.Scheme == "" || u.User == nil {
+		return s
+	}
+	u.User = url.User("redacted")
+	return u.String()
+}
+
+// redactURLCredentialsInArgs returns a copy of args with any URL-valued
+// arguments having their userinfo redacted.
+func redactURLCredentialsInArgs(args []string) []string {
+	out := make([]string, len(args))
+	for i, a := range args {
+		out[i] = redactURLCredentials(a)
+	}
+	return out
+}
+
 // CloneRepo clones one repository, adding the given config
 // settings. It returns the bare repo directory. The `name` argument
 // determines where the repo is stored relative to `destDir`. Returns
@@ -57,7 +80,7 @@ func CloneRepo(destDir, name, cloneURL string, settings map[string]string) (stri
 
 	// Prevent prompting
 	cmd.Stdin = &bytes.Buffer{}
-	log.Println("running:", cmd.Args)
+	log.Println("running:", redactURLCredentialsInArgs(cmd.Args))
 	if err := cmd.Run(); err != nil {
 		return "", err
 	}

Original file line number	Diff line number	Diff line change
`@@ -664,8 +664,8 @@ func (r *Repository) UnmarshalJSON(data []byte) error {`
`664`	`664`	`}`
`665`	`665`
`666`	`666`	`if v, ok := repo.RawConfig["tenantID"]; ok {`
`667`		`- id, _ := strconv.ParseInt(v, 10, 64)`
`668`		`- r.TenantID = int(id)`
	`667`	`+ id, _ := strconv.Atoi(v)`
	`668`	`+ r.TenantID = id`
`669`	`669`	`}`
`670`	`670`
`671`	`671`	`// Sourcegraph indexserver doesn't set repo.Rank, so we set it here. Setting it`
Original file line number	Diff line number	Diff line change
`@@ -603,7 +603,7 @@ func (sf sourcegraphFake) id(name string) uint32 {`
`603`	`603`	`// allow overriding the ID.`
`604`	`604`	`idPath := filepath.Join(sf.RootDir, filepath.FromSlash(name), "SG_ID")`
`605`	`605`	`if b, _ := os.ReadFile(idPath); len(b) > 0 {`
`606`		`- id, err := strconv.Atoi(strings.TrimSpace(string(b)))`
	`606`	`+ id, err := strconv.ParseUint(strings.TrimSpace(string(b)), 10, 32)`
`607`	`607`	`if err == nil {`
`608`	`608`	`return uint32(id)`
`609`	`609`	`}`