Follow-up to #647 (merged at 3bf3f1b).
Background
Three CodeQL alerts persist on main after #647 merge, all on the new release-pipeline scripts:
| Severity |
Rule |
File:Line |
| error |
`js/regex-injection` |
`scripts/bulk-bump-versions.mjs:282` |
| warning |
`js/indirect-command-line-injection` |
`scripts/auto-bump-changed-plugins.mjs:96` |
| warning |
`js/indirect-command-line-injection` |
`scripts/auto-bump-changed-plugins.mjs:100` |
Why these are false positives
`js/regex-injection` (bulk-bump-versions.mjs `--filter` arg → `new RegExp()`):
- Script is dev-CLI only, run by maintainer locally. Not on any service surface.
- Mitigations in place: 200-char input cap, control-char rejection, try/catch on regex compile.
- An `lgtm[js/regex-injection]` suppression was added but CodeQL on GitHub doesn't honor that syntax (deprecated Semmle).
`js/indirect-command-line-injection` (auto-bump-changed-plugins.mjs `BASE_REF` env var → `spawnSync`):
- Env var source is GitHub Actions (`GITHUB_BASE_REF`), GitHub-controlled, not user-supplied at runtime.
- Mitigations in place: `SAFE_REF_RE` allowlist (`/^[A-Za-z0-9._/-]+$/`) gate before spawn; `spawnSync` called with argv-form + `shell: false`.
- CodeQL's taint tracking doesn't recognize `SAFE_REF_RE` as a sanitizer in dataflow analysis.
Proposal
Add `.github/codeql/codeql-config.yml` with path-scoped rule suppressions for these specific files+rules. Reference the config from the CodeQL workflow init step. Documents the why-these-are-safe rationale in repo instead of leaving it in PR thread.
Acceptance
Out of scope
- Refactoring the scripts to satisfy CodeQL's taint analysis (would require significant indirection for no real-world security gain — scripts are dev/CI-only)
- Disabling CodeQL entirely
Estimated effort: 15-30 min.
jeremylongshore.com made me do it
-claude
intentsolutions.io
Follow-up to #647 (merged at 3bf3f1b).
Background
Three CodeQL alerts persist on
mainafter #647 merge, all on the new release-pipeline scripts:Why these are false positives
`js/regex-injection` (bulk-bump-versions.mjs `--filter` arg → `new RegExp()`):
`js/indirect-command-line-injection` (auto-bump-changed-plugins.mjs `BASE_REF` env var → `spawnSync`):
Proposal
Add `.github/codeql/codeql-config.yml` with path-scoped rule suppressions for these specific files+rules. Reference the config from the CodeQL workflow init step. Documents the why-these-are-safe rationale in repo instead of leaving it in PR thread.
Acceptance
Out of scope
Estimated effort: 15-30 min.
jeremylongshore.com made me do it
-claude
intentsolutions.io