Skip to content

ci(codeql): skip warning in the test file #13406

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 4 commits into from
Closed

ci(codeql): skip warning in the test file #13406

wants to merge 4 commits into from

Conversation

lukidzi
Copy link
Contributor

@lukidzi lukidzi commented Apr 15, 2025
edited
Loading

Motivation

We can see security issues but they are not, since we use these files only in tests.

Implementation information

Ignore this validation in specific line

Supporting documentation

Changelog: skip

@lukidzi
ci(codeql): skip warning in the test file
ddee915 
Signed-off-by: Lukasz Dziedziak <lukidzi@gmail.com>
@lukidzi lukidzi added the ci/skip-test PR: Don't run unit and e2e tests (maybe this is just a doc change) label Apr 15, 2025
@github-actions GitHub Actions
Copy link
Contributor

Reviewer Checklist

🔍 Each of these sections need to be checked by the reviewer of the PR 🔍:
If something doesn't apply please check the box and add a justification if the reason is non obvious.

  • Is the PR title satisfactory? Is this part of a larger feature and should be grouped using > Changelog?
  • PR description is clear and complete. It Links to relevant issue as well as docs and UI issues
  • This will not break child repos: it doesn't hardcode values (.e.g "kumahq" as an image registry)
  • IPv6 is taken into account (.e.g: no string concatenation of host port)
  • Tests (Unit test, E2E tests, manual test on universal and k8s)
    • Don't forget ci/ labels to run additional/fewer tests
  • Does this contain a change that needs to be notified to users? In this case, UPGRADE.md should be updated.
  • Does it need to be backported according to the backporting policy? (this GH action will add "backport" label based on these file globs, if you want to prevent it from adding the "backport" label use no-backport-autolabel label)

@lukidzi
test
b7eebf9 
Signed-off-by: Lukasz Dziedziak <lukidzi@gmail.com>
lukidzi added 2 commits April 15, 2025 10:33
@lukidzi
test
b865338 
Signed-off-by: Lukasz Dziedziak <lukidzi@gmail.com>
@lukidzi
fix
90bc458 
Signed-off-by: Lukasz Dziedziak <lukidzi@gmail.com>
github-advanced-security[bot]
github-advanced-security bot found potential problems Apr 15, 2025
View reviewed changes
test/framework/universal/networking.go
@@ -74,14 +74,14 @@
Auth: []ssh.AuthMethod{
ssh.PublicKeys(signer),
},
HostKeyCallback: ssh.InsecureIgnoreHostKey(), //#nosec G106 // skip for tests
HostKeyCallback: ssh.InsecureIgnoreHostKey(), // lgtm[go/insecure-hostkeycallback] //#nosec G106 // skip for tests

Check failure

Code scanning / CodeQL

Use of insecure HostKeyCallback implementation High test

Configuring SSH ClientConfig with insecure HostKeyCallback implementation from
this source
Loading
.

Copilot Autofix

AI 3 days ago

Copilot could not generate an autofix suggestion

Copilot could not generate an autofix suggestion for this alert. Try pushing a new commit or if the problem persists contact support.

test/framework/universal/networking.go
}

client, err = ssh.Dial("tcp", net.JoinHostPort(s.RemoteHost.Address,
strconv.Itoa(s.RemoteHost.Port)), configCfg)
} else {
client, err = ssh.Dial("tcp", net.JoinHostPort("localhost", s.SshPort), &ssh.ClientConfig{
HostKeyCallback: ssh.InsecureIgnoreHostKey(), //#nosec G106 // skip for tests // lgtm [go/insecure-hostkeycallback]
HostKeyCallback: ssh.InsecureIgnoreHostKey(), // lgtm[go/insecure-hostkeycallback] //#nosec G106 // skip for tests

Check failure

Code scanning / CodeQL

Use of insecure HostKeyCallback implementation High test

Configuring SSH ClientConfig with insecure HostKeyCallback implementation from
this source
Loading
.

Copilot Autofix

AI 3 days ago

To fix the problem, we need to replace the insecure ssh.InsecureIgnoreHostKey() with a secure host key callback implementation. The best way to do this is to use the ssh.FixedHostKey function, which validates the host key against a predefined allow list. This ensures that only trusted host keys are accepted, mitigating the risk of MitM attacks.

  1. Read the allowed host key from a file (e.g., allowed_hostkey.pub).
  2. Parse the public key using ssh.ParsePublicKey.
  3. Use the parsed public key with ssh.FixedHostKey to create a secure HostKeyCallback.
Suggested changeset 1
test/framework/universal/networking.go

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/test/framework/universal/networking.go b/test/framework/universal/networking.go
--- a/test/framework/universal/networking.go
+++ b/test/framework/universal/networking.go
@@ -76,3 +76,16 @@
 					},
-					HostKeyCallback: ssh.InsecureIgnoreHostKey(), // lgtm[go/insecure-hostkeycallback] //#nosec G106 // skip for tests
+					HostKeyCallback: func(hostname string, remote net.Addr, key ssh.PublicKey) error {
+						allowedKey, err := ioutil.ReadFile("allowed_hostkey.pub")
+						if err != nil {
+							return fmt.Errorf("failed to read allowed host key: %w", err)
+						}
+						parsedKey, err := ssh.ParsePublicKey(allowedKey)
+						if err != nil {
+							return fmt.Errorf("failed to parse allowed host key: %w", err)
+						}
+						if bytes.Equal(key.Marshal(), parsedKey.Marshal()) {
+							return nil
+						}
+						return fmt.Errorf("host key verification failed")
+					},
 				}
@@ -83,3 +96,16 @@
 				client, err = ssh.Dial("tcp", net.JoinHostPort("localhost", s.SshPort), &ssh.ClientConfig{
-					HostKeyCallback: ssh.InsecureIgnoreHostKey(), // lgtm[go/insecure-hostkeycallback] //#nosec G106 // skip for tests
+					HostKeyCallback: func(hostname string, remote net.Addr, key ssh.PublicKey) error {
+						allowedKey, err := ioutil.ReadFile("allowed_hostkey.pub")
+						if err != nil {
+							return fmt.Errorf("failed to read allowed host key: %w", err)
+						}
+						parsedKey, err := ssh.ParsePublicKey(allowedKey)
+						if err != nil {
+							return fmt.Errorf("failed to parse allowed host key: %w", err)
+						}
+						if bytes.Equal(key.Marshal(), parsedKey.Marshal()) {
+							return nil
+						}
+						return fmt.Errorf("host key verification failed")
+					},
 					User:            "root",
EOF
@@ -76,3 +76,16 @@
},
HostKeyCallback: ssh.InsecureIgnoreHostKey(), // lgtm[go/insecure-hostkeycallback] //#nosec G106 // skip for tests
HostKeyCallback: func(hostname string, remote net.Addr, key ssh.PublicKey) error {
allowedKey, err := ioutil.ReadFile("allowed_hostkey.pub")
if err != nil {
return fmt.Errorf("failed to read allowed host key: %w", err)
}
parsedKey, err := ssh.ParsePublicKey(allowedKey)
if err != nil {
return fmt.Errorf("failed to parse allowed host key: %w", err)
}
if bytes.Equal(key.Marshal(), parsedKey.Marshal()) {
return nil
}
return fmt.Errorf("host key verification failed")
},
}
@@ -83,3 +96,16 @@
client, err = ssh.Dial("tcp", net.JoinHostPort("localhost", s.SshPort), &ssh.ClientConfig{
HostKeyCallback: ssh.InsecureIgnoreHostKey(), // lgtm[go/insecure-hostkeycallback] //#nosec G106 // skip for tests
HostKeyCallback: func(hostname string, remote net.Addr, key ssh.PublicKey) error {
allowedKey, err := ioutil.ReadFile("allowed_hostkey.pub")
if err != nil {
return fmt.Errorf("failed to read allowed host key: %w", err)
}
parsedKey, err := ssh.ParsePublicKey(allowedKey)
if err != nil {
return fmt.Errorf("failed to parse allowed host key: %w", err)
}
if bytes.Equal(key.Marshal(), parsedKey.Marshal()) {
return nil
}
return fmt.Errorf("host key verification failed")
},
User: "root",
Copilot is powered by AI and may make mistakes. Always verify output.
@lukidzi lukidzi closed this Apr 15, 2025
@lukidzi lukidzi deleted the fix-warning-sec branch April 15, 2025 16:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
ci/skip-test PR: Don't run unit and e2e tests (maybe this is just a doc change)
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@lukidzi