fix: resolve CodeQL security alerts and fix dependabot config#65
Merged
fix: resolve CodeQL security alerts and fix dependabot config#65
Conversation
Security fixes: - Replace SHA256 with PBKDF2-SHA256 (600k iterations) for auth token derivation. Existing session cookies will be invalidated (re-login required). - Remove stack trace exposure from /internal/push error responses - Use urlparse-based URL masking in all database URL logging to prevent sensitive data leakage (replaces string split patterns) Config fix: - Remove invalid duplicate Docker entry from dependabot.yml (used both directory and directories fields; Dependabot scans all Dockerfiles in / )
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
|
🐳 Dev images published!
The dev/test instance will pick up these changes automatically (Portainer GitOps). To test locally: docker pull drumsergio/telegram-archive:dev
docker pull drumsergio/telegram-archive-viewer:dev |
- Mark implemented features as completed (reactions, stickers, PWA, WebSocket, push notifications, forum topics, folders, security) - Renumber future milestones: Search v7, Forensic v8, Multi-tenancy v9 - Add new near-term items from security audit (rate limiting, JWT, session encryption, Docker healthchecks) - Add developer experience section (OpenAPI, Prometheus, DB maintenance) - Add viewer polish items (keyboard shortcuts, deep links, i18n) - Add "Recently Completed" reference table
|
🐳 Dev images published!
The dev/test instance will pick up these changes automatically (Portainer GitOps). To test locally: docker pull drumsergio/telegram-archive:dev
docker pull drumsergio/telegram-archive-viewer:dev |
CodeQL taint analysis tracks through urlparse components, flagging the masked URL as still containing sensitive data. Switch to re.sub which creates a genuinely new string that CodeQL does not track taint through. Fixes CodeQL alerts: py/clear-text-logging-sensitive-data
|
🐳 Dev images published!
The dev/test instance will pick up these changes automatically (Portainer GitOps). To test locally: docker pull drumsergio/telegram-archive:dev
docker pull drumsergio/telegram-archive-viewer:dev |
|
🐳 Dev images published!
The dev/test instance will pick up these changes automatically (Portainer GitOps). To test locally: docker pull drumsergio/telegram-archive:dev
docker pull drumsergio/telegram-archive-viewer:dev |
CodeQL tracks taint through urlparse, re.sub, and string splitting, so any approach that derives the log string from the tainted URL will be flagged. Instead, construct the log-safe description from the non-sensitive environment variables (POSTGRES_HOST, POSTGRES_PORT, POSTGRES_DB, POSTGRES_USER) which are never password-tainted.
|
🐳 Dev images published!
The dev/test instance will pick up these changes automatically (Portainer GitOps). To test locally: docker pull drumsergio/telegram-archive:dev
docker pull drumsergio/telegram-archive-viewer:dev |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Resolves all 7 CodeQL security alerts from PR #64 and fixes invalid dependabot config.
CodeQL Alerts Fixed
py/weak-sensitive-data-hashing)/internal/pushresponse (py/stack-trace-exposure)str(e)db/base.py(py/clear-text-logging-sensitive-data)urlparse-based URL reconstruction instead of string replacemigrate-sqlite-to-postgres.pyurlparse-based masking via_mask_db_url()helpermigrate_media_paths.pyurlparse-based masking instead ofsplit('@')Dependabot Fix
Removed invalid duplicate Docker entry that used both
directoryanddirectoriesfields. Dependabot's Docker ecosystem already scans all Dockerfiles in the specified directory.Breaking Change (minor)
Existing viewer auth cookies will be invalidated due to the hashing algorithm change (SHA256 -> PBKDF2). Users will need to re-login once.
Test plan