gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 17:51:29 +00:00
Code Issues Packages Projects Releases Wiki Activity
628 Commits 1 Branch 82 Tags
482e952dde62e8c743ce9d1f37f514797808df96
Commit Graph

3 Commits

Author SHA1 Message Date
shankar0123 482e952dde ci(codeql): rewire local model pack discovery — fix 1122f5a silent no-op 
Two CodeQL runs (commits 1122f5a + c4157fd) since the initial Option A
landing both completed with conclusion=success but failed to dismiss
alert #23 (go/request-forgery on scep_probe.go:232). Root cause: the
local pack never loaded.

The bug was in codeql-config.yml — `packs: { go: ['./'] }` looked
plausible (the path is relative to the config file's directory) but
the `packs:` field requires pack NAMES, not paths. Discovery of
unpublished local packs goes through the codeql-action `init` step's
`additional-packs:` input, not through `packs:`.

Verified pattern by reading github/vscode-codeql's working
.github/codeql/ setup. The supported chain:

   workflow init step      passes additional-packs: <parent-dir>
                                        ↓
       CodeQL CLI           registers each pack under the parent
                                        ↓
   codeql-config.yml        names the pack in `packs: go: [name]`
                                        ↓
       CodeQL CLI           resolves the name → pack on disk
                                        ↓
   pack's qlpack.yml        declares extensionTargets: codeql/go-all
                                        ↓
   data extension YAML      auto-loads, applies the barrier rows

Restructure to match this chain:

  Before                                    After
  --------                                  -----
  .github/codeql/qlpack.yml                .github/codeql/codeql-config.yml
  .github/codeql/models/                   .github/codeql/certctl-models/
    request-forgery-sanitizers.model.yml     qlpack.yml
  .github/codeql/codeql-config.yml           models/
                                               request-forgery-sanitizers.model.yml

The new `.github/codeql/certctl-models/` is the pack directory, named
to match `name: shankar0123/certctl-models` in qlpack.yml. Its parent
`.github/codeql/` is what additional-packs points at. The action
discovers the pack by walking the parent dir, sees the qlpack.yml,
registers the name, and `packs:` lookup succeeds.

Three concrete changes:

  - Pack moves from .github/codeql/{qlpack.yml, models/} into the
    sibling subdirectory .github/codeql/certctl-models/.

  - codeql-config.yml's packs: directive now uses the pack NAME
    (`shankar0123/certctl-models`) instead of the broken `./` path.

  - codeql.yml's Initialize CodeQL step gains
    `additional-packs: .github/codeql` so the CLI's resolver knows
    where to find unpublished packs.

Belt-and-suspenders correctness fix: the model row's `subtypes`
column now uses `False` (Python-style capitalized) instead of `false`
to match every shipped CodeQL Go .model.yml convention. SnakeYAML
accepts lowercase too — this is a hedge against any strict-format
tooling in the path.

Why this matters: alert #23 is rated Critical with CWE-918 + CWE-180.
The runtime defense is correct (validate-then-pin via
ValidateSafeURL + SafeHTTPDialContext), but the analyzer doesn't
know it. With the pack actually loading this time, the next CodeQL
run will see the barrier and dismiss the alert at source. Same fix
implicitly applies to the webhook notifier's outbound client.Do
(the second site that uses ValidateSafeURL).

Operator: push and watch the next CodeQL run dismiss alert #23. If
it doesn't, the next iteration will be on the YAML row's column
shape — most likely a one-line tweak, not another redesign.
 2026-05-01 01:08:48 +00:00
shankar0123 1122f5a097 ci(codeql): teach analyzer about ValidateSafeURL SSRF barrier 
Closes CodeQL alert #23 (go/request-forgery, Critical) at the
structural level — by telling CodeQL what the runtime code already
does — rather than via per-line `// codeql[...]` suppressions.

Background. internal/service/scep_probe.go:232 calls client.Do(req)
where the request URL is built from operator-supplied input. The
runtime defense is two-layer:

  1. validation.ValidateSafeURL(rawURL) at scep_probe.go:86 rejects
     non-http(s) schemes, empty hosts, literal-IP hosts in reserved
     ranges (loopback, link-local incl. cloud metadata
     169.254.169.254, multicast, broadcast, unspecified, IPv6
     link-local), and DNS names whose A/AAAA resolution returns any
     reserved IP. RFC 1918 is intentionally NOT blocked — see
     internal/validation/ssrf.go:17-21 for the design rationale.

  2. validation.SafeHTTPDialContext on the http.Transport (line 254)
     re-resolves at dial time, applies the same reserved-IP set, and
     pins the dial to a literal non-reserved IP — defeating DNS
     rebinding between validate and dial.

CodeQL's go/request-forgery query is a syntactic taint-tracking rule
with no built-in knowledge of either validator, so it reports the
finding even though the runtime is correctly defended.

The fix. Add a Models-as-Data (MaD) extension at .github/codeql/
declaring ValidateSafeURL as a request-forgery barrier. The barrier
applies to Argument[0] (the URL parameter), which means the analyzer
treats every URL flowing through ValidateSafeURL as sanitized for the
request-forgery taint set. After this lands:

  - Alert #23 dismisses at scep_probe.go:232.
  - The same model applies to the second site of this exact shape —
    webhook notifier's outbound client.Do (internal/connector/
    notifier/webhook/webhook.go) — without per-line annotations.
  - Future code that flows operator URLs through ValidateSafeURL
    inherits the barrier automatically.

This is the structural fix, not a band-aid:

  - Band-aid (rejected): `// codeql[go/request-forgery]` suppression
    on line 232. Suppresses one alert; doesn't teach the analyzer.
    Webhook notifier would need the same comment when its sibling
    rule landing fires.

  - Structural (this change): teach CodeQL via models-as-data, in
    config checked into the repo, that lives next to the workflow
    that uses it. The validators ARE sanitizers in the runtime —
    this PR makes the analyzer's model match reality.

Files:

  - .github/codeql/qlpack.yml — local model pack manifest, declares
    extensionTargets: codeql/go-all: '*'

  - .github/codeql/models/request-forgery-sanitizers.model.yml —
    barrierModel row for validation.ValidateSafeURL Argument[0] /
    request-forgery taint kind / manual provenance

  - .github/codeql/codeql-config.yml — references the local pack +
    keeps security-and-quality query suite scope

  - .github/workflows/codeql.yml — Initialize CodeQL step picks up
    config-file: ./.github/codeql/codeql-config.yml. The existing
    `queries: security-and-quality` line stays so even if the config
    file fails to load, the suite scope is preserved.

  - docs/architecture.md::Input Validation and SSRF Protection —
    extended to name the egress validators (ValidateSafeURL +
    SafeHTTPDialContext) and the call sites (SCEP probe + webhook
    notifier). Closes the docs gap surfaced during the audit; the
    egress threat-model previously lived only in source comments.

Requires CodeQL CLI ≥ 2.25.2 for the barrierModel extensible
predicate (Go MaD support added 2026-04-21). github/codeql-action@v3
ships a recent enough CLI by default; if a future analysis fails
with "unknown extensible predicate barrierModel", the action's CLI
has regressed below 2.25.2 — pin a newer action version rather than
reverting this pack. Documented inline in qlpack.yml.

References:
  - https://codeql.github.com/docs/codeql-language-guides/customizing-library-models-for-go/
  - https://github.blog/changelog/2026-04-21-codeql-now-supports-sanitizers-and-validators-in-models-as-data/
 2026-05-01 00:28:26 +00:00
shankar0123 77b0452a2f Add CodeQL workflow — public SAST baseline in Security tab 
Triggered by Reddit feedback (sysadmin user ran Aikido against the
public repo, reported critical command/file-inclusion findings, won't
deploy without seeing scanner-public credibility). Aikido's free tier
gates on OSI-approved licenses, which excludes BSL 1.1; CodeQL is
GitHub-native and free for public repos regardless of license.

Why CodeQL on top of the existing security-deep-scan.yml gosec /
osv-scanner / trivy / ZAP / semgrep / schemathesis / nuclei / testssl:
gosec is single-file pattern matching; CodeQL does interprocedural
taint tracking that catches the same vulnerability classes when input
is laundered through several function calls or struct fields. SARIF
results land in the public Security tab where any operator/security
team auditing certctl can see scan history and triage state without
asking.

Workflow shape
=================
  - Triggers: push to master, PR to master, weekly Sun 06:00 UTC
  - Matrix: go + javascript-typescript
  - Query suite: security-and-quality (security + maintainability,
    comparable to Aikido / SonarCloud scope)
  - Go version: 1.25.9 (matches ci.yml + release.yml + security-
    deep-scan.yml)
  - SARIF auto-uploads via codeql-action/analyze@v3 (implicit;
    populates Security → Code scanning tab)
  - permissions: contents:read + security-events:write + actions:read
  - Fail-fast: false (Go and JS analysis run independently)
  - Timeout: 30min

Suppressions for known-intentional findings (e.g., SSH connector's
InsecureIgnoreHostKey, ACME script-callout shell-out) get inline
codeql[<rule-id>] comments OR config-pack tweaks in a follow-up
commit, with the threat-model justification cited so external
readers see why the finding is intentional.

Verification
=================
  - python3 yaml.safe_load(.github/workflows/codeql.yml): OK
  - First run will surface in the Security tab on next push to master

Bundle: security/codeql-baseline
 2026-04-28 15:10:40 +00:00