Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NEST-536: Add necessary security exceptions #403

Merged
merged 16 commits into from
Aug 23, 2024
Merged

NEST-536: Add necessary security exceptions #403

merged 16 commits into from
Aug 23, 2024

Conversation

sarahelsaig
Copy link
Member

@sarahelsaig sarahelsaig commented Aug 22, 2024
edited by jira bot
Loading

@sarahelsaig sarahelsaig changed the base branch from dev to task/system-text-json-migration August 22, 2024 13:19
Piedone
Piedone requested changes Aug 23, 2024
View reviewed changes
Lombiq.Tests.UI/SecurityScanning/SecurityScanningUITestContextExtensions.cs Outdated Show resolved Hide resolved
Lombiq.Tests.UI/SecurityScanning/SecurityScanningUITestContextExtensions.cs Outdated
Comment on lines 88 to 101
// There is no need to security scan anything in Lombiq.Tests.UI.Shortcuts.
configuration.ExcludeUrlWithRegex(@".*/Lombiq.Tests.UI.Shortcuts/.*");

configuration.MarkScanRuleAsFalsePositiveForUrlWithRegex(
".*/(Login|ChangePassword)[?][rR]eturnUrl=.*", // #spell-check-ignore-line
6,
"Path Traversal",
"Setting the ReturnUrl query parameter to a itself yields a false positive");

configuration.MarkScanRuleAsFalsePositiveForUrlWithRegex(
".*/(Login|ChangePassword)[?][rR]eturnUrl=.*", // #spell-check-ignore-line
40018,
"SQL Injection",
"Setting the ReturnUrl query parameter to an SQL expression can't actually cause SQL Injection.");
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These three should rather be in the plans, so they're applied to every scan.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You didn't yet move configuration.ExcludeUrlWithRegex(@".*/Lombiq.Tests.UI.Shortcuts/.*"); BTW.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't know how to do that for a filter with no rule ID. Also the configuration.ExcludeUrlWithRegex(@".*/Admin/.*"); right above it is the same kind, so I assumed if it was possible you would've already moved it into the plans.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the end, this is run, what should be possible in YML too: https://github.com/Lombiq/UI-Testing-Toolbox/blob/dev/Lombiq.Tests.UI/SecurityScanning/YamlDocumentExtensions.cs#L107

I don't remember the reason for the admin config, but that perhaps makes more sense here: keep in mind that it's easier to override the C# config from a delegate, than modify the YML document. Maybe we want to override that. I can't imagine this for the shortcuts rule, though.

@sarahelsaig sarahelsaig merged commit f9ecdfd into task/system-text-json-migration Aug 23, 2024
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Piedone Piedone Piedone requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@sarahelsaig @Piedone