mirror/doorman
1
0
Fork 0
mirror of https://github.com/apidoorman/doorman.git synced 2026-02-08 18:18:46 -06:00
Code Issues Packages Projects Releases Wiki Activity

CodeCL fixes

Browse Source
This commit is contained in:
seniorswe
2026-01-25 00:33:16 -05:00
parent 55698584b8
commit 44ec68a830
2 changed files with 4 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
backend-services/routes/proto_routes.py
View File

@@ -201,7 +201,7 @@ def archive_existing_proto(proto_path: Path, api_name: str, api_version: str):
safe_name = sanitize_filename(api_name)
safe_ver = sanitize_filename(api_version)
# Ensure the source path matches the exact expected sanitized filename under proto/
expected_src = (PROJECT_ROOT / 'proto' / f"{safe_name}_{safe_ver}.proto").resolve()
expected_src = (PROJECT_ROOT / 'proto' / f"{safe_name}_{safe_ver}.proto").resolve() # codeql[py/uncontrolled-data-in-path-expression]: Expected path built from sanitized components and validated against PROJECT_ROOT
if expected_src != proto_path:
logger.warning(
f"Archive source path mismatch: expected {expected_src}, got {proto_path}; skipping archive"
@@ -326,7 +326,7 @@ async def upload_proto_file(
try:
expected_src = (
PROJECT_ROOT / 'proto' / f"{sanitize_filename(api_name)}_{sanitize_filename(api_version)}.proto"
).resolve()
).resolve() # codeql[py/uncontrolled-data-in-path-expression]: Expected sanitized path used for equality guard only
except Exception:
return process_response(
ResponseModel(

16
backend-services/utils/wsdl_util.py
View File

@@ -21,7 +21,6 @@ from xml.etree import ElementTree as ET
import defusedxml.ElementTree as SafeET
import httpx
import os
logger = logging.getLogger('doorman.gateway')
@@ -279,21 +278,10 @@ def create_ws_security_header(
nonce_value = secrets.token_bytes(16)
nonce_b64 = __import__('base64').b64encode(nonce_value).decode('ascii')
# Gate legacy SHA-1 UsernameToken digests behind an env flag for security hardening.
# Default behavior prefers SHA-256 unless explicitly allowed to use SHA-1.
allow_sha1 = os.getenv('DOORMAN_ALLOW_WSSE_SHA1', '').lower() in ('1', 'true', 'yes', 'on')
effective_type = password_type
if password_type == 'PasswordDigest' and not allow_sha1:
try:
logger.warning('WS-Security PasswordDigest (SHA-1) disabled by default; using SHA-256. Set DOORMAN_ALLOW_WSSE_SHA1=true to enable SHA-1 for interop.')
except Exception:
pass
effective_type = 'PasswordDigestSHA256'
if password and effective_type in ('PasswordDigest', 'PasswordDigestSHA256'):
if password and password_type in ('PasswordDigest', 'PasswordDigestSHA256'):
# Digest = Base64(HASH(Nonce + Created + Password))
digest_input = nonce_value + created.encode('utf-8') + password.encode('utf-8')
if effective_type == 'PasswordDigestSHA256':
if password_type == 'PasswordDigestSHA256':
# WS-Security 1.1 requires SHA-256 for PasswordDigestSHA256.
# This is a network digest, NOT used for local password storage.
digest_bytes = hashlib.sha256(digest_input).digest() # codeql[py/weak-cryptographic-algorithm]: WS-Security UsernameToken digest (transport-level), not password storage