Skip to content

fix: Code changes for "CodeQL" issues fix#247

Merged
Roopan-Microsoft merged 7 commits intomainfrom
sfi-code-fix
Nov 22, 2025
Merged

fix: Code changes for "CodeQL" issues fix#247
Roopan-Microsoft merged 7 commits intomainfrom
sfi-code-fix

Conversation

@Akhileswara-Microsoft
Copy link
Contributor

@Akhileswara-Microsoft Akhileswara-Microsoft commented Nov 19, 2025

Purpose

  • This pull request introduces several security enhancements across the codebase, focusing on input validation to prevent common vulnerabilities such as SSRF, path traversal, command injection, and SQL injection. The changes are grouped below by theme and include the most important updates.

SSRF and URL Validation Improvements:

  • Added AntiSsrfValidation in DocumentManager.cs to validate URLs before downloading files, ensuring only HTTPS URLs from allowed domains are accepted and blocking SSRF attacks. [1] [2]

File Name and Path Security:

  • Introduced EnsureSafeSimpleFileName in ESRSGapAnalysisManager.cs to validate file names for report generation and deletion, preventing path traversal and restricting characters to a safe whitelist. This method is now called before using file names for blob and local file operations. [1] [2] [3] [4]
  • Added ValidateFilePath in HtmlPdfConverter.cs to check file paths for dangerous characters before passing them to external processes, mitigating command injection risks. [1] [2]

SQL Injection Prevention:

  • Added validation of table names via PostgresSchema.ValidateTableName in PostgresDbClient.cs before constructing SQL statements, preventing SQL injection attacks. [1] [2]

Documentation and CodeQL Annotations:

  • Added inline comments and CodeQL references to clarify security mitigations and document the rationale for validation steps, aiding future code reviews and audits. [1] [2] [3] [4]

These changes collectively strengthen the application's defenses against several security threats by enforcing strict validation of user and system inputs

Does this introduce a breaking change?

  • Yes
  • No

Golden Path Validation

  • I have tested the primary workflows (the "golden path") to ensure they function correctly without errors.

Deployment Validation

  • I have validated the deployment process successfully and all services are running as expected with this change.

What to Check

Verify that the following are valid

  • ...

Other Information

@Akhileswara-Microsoft
This fixes runtime ArgumentException when disclosure_number contains …
3af0264 
…spaces

or special characters, and addresses CodeQL path injection vulnerability.
@Akhileswara-Microsoft
Copy link
Contributor Author

Akhileswara-Microsoft commented Nov 20, 2025

@Akhileswara-Microsoft please read the following Contributor License Agreement(CLA). If you agree with the CLA, please reply with the following information.

@microsoft-github-policy-service agree [company="{your company}"]

Options:

  • (default - no company specified) I have sole ownership of intellectual property rights to my Submissions and I am not making Submissions in the course of work for my employer.
@microsoft-github-policy-service agree
  • (when company given) I am making Submissions in the course of work for my employer (or my employer has intellectual property rights in my Submissions by contract or applicable law). I have permission from my employer to make Submissions and enter into this Agreement on behalf of my employer. By signing below, the defined term “You” includes me and my employer.
@microsoft-github-policy-service agree company="Microsoft"

Contributor License Agreement

@microsoft-github-policy-service agree company="Microsoft"

Prajwal-Microsoft
Prajwal-Microsoft reviewed Nov 22, 2025
View reviewed changes
Services/appconfig/aiservice/appsettings.dev.json.template Outdated
"processwatcherUrl": "{{ gapanalysisprocesswatcherurl }}"
},
"AntiSSRF": {
"AllowedDomains": "microsoft.seismic.com"
Copy link
Collaborator

@Prajwal-Microsoft Prajwal-Microsoft Nov 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Dont add anu value here. We cannot determine the URL used by users

Prajwal-Microsoft
Prajwal-Microsoft reviewed Nov 22, 2025
View reviewed changes
Services/appconfig/aiservice/appsettings.dev.json.template Outdated
"processwatcherUrl": "{{ gapanalysisprocesswatcherurl }}"
},
"AntiSSRF": {
"AllowedDomains": "microsoft.seismic.com"
Copy link
Collaborator

@Prajwal-Microsoft Prajwal-Microsoft Nov 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Dont add anu value here. We cannot determine the URL used by users

@Roopan-Microsoft Roopan-Microsoft merged commit 4d7dc23 into main Nov 22, 2025
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Prajwal-Microsoft Prajwal-Microsoft Prajwal-Microsoft left review comments

@Roopan-Microsoft Roopan-Microsoft Roopan-Microsoft approved these changes

@Avijit-Microsoft Avijit-Microsoft Awaiting requested review from Avijit-Microsoft Avijit-Microsoft is a code owner

@Vinay-Microsoft Vinay-Microsoft Awaiting requested review from Vinay-Microsoft Vinay-Microsoft is a code owner

@aniaroramsft aniaroramsft Awaiting requested review from aniaroramsft aniaroramsft is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Akhileswara-Microsoft @Roopan-Microsoft @Prajwal-Microsoft