mirror of
https://github.com/GlueOps/autoglue.git
synced 2026-02-13 12:50:05 +01:00
7985b310c5
Refactor routing logic (Chi can be a pain when you're managing large sets of routes, but its one of the better options when considering a potential gRPC future)
Upgrade API Generation to fully support OAS3.1
Update swagger interface to RapiDoc - the old swagger interface doesnt support OAS3.1 yet
Docs are now embedded as part of the UI - once logged in they pick up the cookies and org id from what gets set by the UI, but you can override it
Other updates include better portability of the db-studio
Signed-off-by: allanice001 <allanice001@gmail.com>
101 lines
2.4 KiB
YAML
101 lines
2.4 KiB
YAML
# AutoGlue Semgrep configuration
|
|
# Use with: opengrep scan --config .semgrep.yml .
|
|
|
|
rules:
|
|
|
|
#
|
|
# 1. Suppress known benign “direct write to ResponseWriter” warnings
|
|
#
|
|
- id: autoglue.ignore.direct-write-static
|
|
message: Ignore direct writes for static or binary responses
|
|
languages: [go]
|
|
severity: INFO
|
|
metadata:
|
|
category: suppression
|
|
project: autoglue
|
|
patterns:
|
|
- pattern: |
|
|
_, _ = $W.Write($DATA)
|
|
pattern-inside: |
|
|
func $F($X...) {
|
|
...
|
|
}
|
|
paths:
|
|
include:
|
|
- internal/api/utils.go
|
|
- internal/handlers/ssh_keys.go
|
|
|
|
|
|
#
|
|
# 2. Enforce Allowed Origins checking in writePostMessageHTML
|
|
#
|
|
- id: autoglue.auth.require-origin-validation
|
|
message: >
|
|
writePostMessageHTML must validate `origin` against known allowed origins
|
|
to prevent token exfiltration via crafted state/redirect parameters.
|
|
languages: [go]
|
|
severity: ERROR
|
|
metadata:
|
|
category: security
|
|
project: autoglue
|
|
|
|
# Look for the JS snippet inside the Go string literal using a regex.
|
|
# This is NOT Go code, so we must use pattern-regex, not pattern.
|
|
pattern-regex: |
|
|
window\.opener\.postMessage\(\{ type: 'autoglue:auth', payload: data \}, .*?\);
|
|
|
|
paths:
|
|
include:
|
|
- internal/handlers/auth.go
|
|
|
|
|
|
#
|
|
# 3. Require httpOnly+Secure cookies for JWT cookies
|
|
#
|
|
- id: autoglue.cookies.ensure-secure-jwt
|
|
message: >
|
|
JWT cookies must always have a Secure field (true in prod, false only for localhost dev).
|
|
languages: [go]
|
|
severity: WARNING
|
|
metadata:
|
|
category: security
|
|
project: autoglue
|
|
|
|
patterns:
|
|
# 1) Find any SetCookie for ag_jwt
|
|
- pattern: |
|
|
http.SetCookie($W, &http.Cookie{
|
|
Name: "ag_jwt",
|
|
...
|
|
})
|
|
# 2) BUT ignore cases where the Secure field is present
|
|
- pattern-not: |
|
|
http.SetCookie($W, &http.Cookie{
|
|
Name: "ag_jwt",
|
|
Secure: $SECURE,
|
|
...
|
|
})
|
|
|
|
paths:
|
|
include:
|
|
- internal/handlers/auth.go
|
|
|
|
|
|
#
|
|
# 4. Ban path.Clean for user-controlled paths
|
|
#
|
|
- id: autoglue.filesystem.no-path-clean
|
|
message: Use securejoin instead of path.Clean() for file paths.
|
|
languages: [go]
|
|
severity: WARNING
|
|
metadata:
|
|
category: security
|
|
project: autoglue
|
|
|
|
pattern: |
|
|
path.Clean($X)
|
|
|
|
paths:
|
|
include:
|
|
- internal/web/static.go
|