From 74d4acbc0f499dbd7c8acc24dc62c1ad8c1c312b Mon Sep 17 00:00:00 2001 From: githubofkrishnadhas Date: Sat, 12 Apr 2025 21:24:02 +0530 Subject: [PATCH 1/4] github workflow forimage push --- .github/workflows/image.yml | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 .github/workflows/image.yml diff --git a/.github/workflows/image.yml b/.github/workflows/image.yml new file mode 100644 index 0000000..9416075 --- /dev/null +++ b/.github/workflows/image.yml @@ -0,0 +1,33 @@ +name: build-publish-jdk11-dind-image +on: + workflow_dispatch: + + +run-name: build-publish-sample-python-image +jobs: + build-publish-jdk11-dind-image: + runs-on: ubuntu-latest + + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Log in to Docker Hub + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_ACCESS_TOKEN }} + + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Build and docker image with tag + uses: docker/build-push-action@v6 + with: + file: Dockerfile + push: true + tags: | + ${{ secrets.DOCKERHUB_USERNAME }}/sample-python-image:latest From f09d61fe93c55b81cc2999d5771c09e2b996c495 Mon Sep 17 00:00:00 2001 From: githubofkrishnadhas Date: Sat, 12 Apr 2025 22:55:51 +0530 Subject: [PATCH 2/4] If unsanitized user input is written to a log entry, a malicious user may be able to forge new log entries. --- app/quickapi.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/app/quickapi.py b/app/quickapi.py index 875a312..c341212 100644 --- a/app/quickapi.py +++ b/app/quickapi.py @@ -40,7 +40,8 @@ async def create_item(item: UserColorEntry): """Create an item with a username and users favourite colour and return it.""" user_colour.append(item) print(user_colour) - logger.info(item) + # Sanitize log message to prevent log injection + logger.info("New user-color entry added: username=%s, color=%s", item.username, item.color) return item # List all user_colour mappings From 1b85abb4aa74d7a18ae62c8962eb1e8993daa8d9 Mon Sep 17 00:00:00 2001 From: Krishnadhas N K <108367225+githubofkrishnadhas@users.noreply.github.com> Date: Sun, 13 Apr 2025 00:56:51 +0530 Subject: [PATCH 3/4] Potential fix for code scanning alert no. 3: Log Injection Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- app/quickapi.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/app/quickapi.py b/app/quickapi.py index c341212..ff26fb7 100644 --- a/app/quickapi.py +++ b/app/quickapi.py @@ -41,7 +41,9 @@ async def create_item(item: UserColorEntry): user_colour.append(item) print(user_colour) # Sanitize log message to prevent log injection - logger.info("New user-color entry added: username=%s, color=%s", item.username, item.color) + sanitized_username = item.username.replace('\r\n', '').replace('\n', '') + sanitized_color = item.color.replace('\r\n', '').replace('\n', '') + logger.info("New user-color entry added: username=%s, color=%s", sanitized_username, sanitized_color) return item # List all user_colour mappings From ef74860d06a60a153371e9cc3bf7d6b7f17c5f0c Mon Sep 17 00:00:00 2001 From: githubofkrishnadhas Date: Thu, 17 Apr 2025 22:28:37 +0530 Subject: [PATCH 4/4] DEVOPS-326 hotfix commit fix log --- app/quickapi.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/app/quickapi.py b/app/quickapi.py index ff26fb7..15e264f 100644 --- a/app/quickapi.py +++ b/app/quickapi.py @@ -41,9 +41,9 @@ async def create_item(item: UserColorEntry): user_colour.append(item) print(user_colour) # Sanitize log message to prevent log injection - sanitized_username = item.username.replace('\r\n', '').replace('\n', '') - sanitized_color = item.color.replace('\r\n', '').replace('\n', '') - logger.info("New user-color entry added: username=%s, color=%s", sanitized_username, sanitized_color) + sanitized_username = item.name.replace('\r\n', '').replace('\n', '') + sanitized_color = item.favorite_color.replace('\r\n', '').replace('\n', '') + logger.info("New user-color entry added: name=%s, favorite_colour=%s", sanitized_username, sanitized_color) return item # List all user_colour mappings