Skip to content

fix(storage): remove dead DelegateRequest to resolve CodeQL SSRF alert#228

Merged
notque merged 2 commits into
masterfrom
fix/remove-dead-delegate-request
Jun 6, 2026
Merged

fix(storage): remove dead DelegateRequest to resolve CodeQL SSRF alert#228
notque merged 2 commits into
masterfrom
fix/remove-dead-delegate-request

Conversation

@notque
Copy link
Copy Markdown
Contributor

@notque notque commented Jun 4, 2026

Summary

  • Removes DelegateRequest method and its helper mapURL — dead code since 2019 that triggers CodeQL alert Catalog discovery #15 (go/request-forgery)
  • Updates sendToPrometheus comment to reflect that all callers now use buildURL() exclusively
  • Adds //nolint:unparam for method parameter (always "GET" now that the only non-GET caller is gone)

Context

CodeQL's go/request-forgery rule tracks taint from DelegateRequest's *http.Request parameter through mapURL()sendToPrometheus()httpClient.Do(). The previous fix (PR #227) added runtime host validation, but CodeQL doesn't recognize custom validators as sanitizers — the alert persisted.

DelegateRequest was introduced in 2017 (PR #19) for a generic request-forwarding handler (forwardRequest) that was committed already commented out and deleted in 2019. It has zero callers — all API endpoints use the typed methods (Query, QueryRange, Series, etc.) via buildURL().

Verification

  • 3 independent analysis passes confirmed dead code (static references, git history, route-handler mapping)
  • make check passes (tests, golangci-lint, license, build)
  • No behavioral change — no code path ever reached DelegateRequest

Test plan

@notque
fix(storage): remove dead DelegateRequest to resolve CodeQL SSRF alert
eb63117 
DelegateRequest and its helper mapURL were never called from production
code — the intended caller (forwardRequest) was commented out at
introduction in 2017 and deleted in 2019. Removing them eliminates the
taint flow that CodeQL alert #15 (go/request-forgery) tracks, since no
user-controlled URL now reaches sendToPrometheus.
@notque notque requested a review from Copilot June 4, 2026 21:04
Copilot AI reviewed Jun 4, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This pull request removes long-dead Prometheus storage client request-forwarding code (DelegateRequest and mapURL) to eliminate a persistent CodeQL go/request-forgery (SSRF) alert path, while keeping the remaining Prometheus calls routed through buildURL() and sendToPrometheus().

Changes:

  • Removed (*prometheusStorageClient).DelegateRequest() and helper mapURL() as unused dead code.
  • Updated sendToPrometheus() comment to reflect the intended URL construction flow and retained a generic method parameter with //nolint:unparam.
  • Removed DelegateRequest from the storage.Driver interface.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
pkg/storage/prometheus.go Drops DelegateRequest/mapURL and updates sendToPrometheus documentation + lint suppression.
pkg/storage/interface.go Removes DelegateRequest from the Driver interface to match the implementation cleanup.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread pkg/storage/prometheus.go Outdated
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Jun 4, 2026

Merging this branch will increase overall coverage

Impacted Packages Coverage Δ 🤖
github.com/SAP-cloud-infrastructure/maia/pkg/storage 84.14% (+7.89%) 👍
Coverage by file

Changed files (no unit tests)

Changed File Coverage Δ Total Covered Missed 🤖
github.com/SAP-cloud-infrastructure/maia/pkg/storage/interface.go 68.00% (ø) 125 85 40
github.com/SAP-cloud-infrastructure/maia/pkg/storage/prometheus.go 79.73% (+7.78%) 370 (-40) 295 75 (-40) 👍

Please note that the "Total", "Covered", and "Missed" counts above refer to code statements instead of lines of code. The value in brackets refers to the test coverage of that file in the old version of the code.

viennaa
viennaa approved these changes Jun 5, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@viennaa viennaa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Dead code removal 👍

@notque notque merged commit f07ab8c into master Jun 6, 2026
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@viennaa viennaa viennaa approved these changes

@LeoZhangZXZ LeoZhangZXZ Awaiting requested review from LeoZhangZXZ LeoZhangZXZ is a code owner

@notandy notandy Awaiting requested review from notandy notandy is a code owner

@Kuckkuck Kuckkuck Awaiting requested review from Kuckkuck Kuckkuck is a code owner

@richardtief richardtief Awaiting requested review from richardtief richardtief is a code owner

@olandr olandr Awaiting requested review from olandr olandr is a code owner

@joluc joluc Awaiting requested review from joluc joluc is a code owner

@trouaux trouaux Awaiting requested review from trouaux trouaux is a code owner

@ibakshay ibakshay Awaiting requested review from ibakshay ibakshay is a code owner

@ashifnihalb ashifnihalb Awaiting requested review from ashifnihalb ashifnihalb is a code owner

@timojohlo timojohlo Awaiting requested review from timojohlo timojohlo is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@notque @viennaa