Skip to content

Address some CodeQL security concerns#35572

Merged
wxiaoguang merged 4 commits into
go-gitea:mainfrom
wxiaoguang:fix-codeql
Oct 3, 2025
Merged

Address some CodeQL security concerns#35572
wxiaoguang merged 4 commits into
go-gitea:mainfrom
wxiaoguang:fix-codeql

Conversation

@wxiaoguang
Copy link
Copy Markdown
Contributor

@wxiaoguang wxiaoguang commented Oct 3, 2025

Although there is no real security problem

@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Oct 3, 2025
silverwind
silverwind reviewed Oct 3, 2025
View reviewed changes
Comment thread web_src/js/modules/fomantic/base.ts
silverwind
silverwind reviewed Oct 3, 2025
View reviewed changes
Comment thread web_src/fomantic/build/components/dropdown.js Outdated
@GiteaBot GiteaBot added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels Oct 3, 2025
@GiteaBot GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Oct 3, 2025
@wxiaoguang wxiaoguang merged commit 71360a9 into go-gitea:main Oct 3, 2025
26 checks passed
@GiteaBot GiteaBot added this to the 1.26.0 milestone Oct 3, 2025
@wxiaoguang wxiaoguang deleted the fix-codeql branch October 3, 2025 17:21
@wxiaoguang wxiaoguang added the skip-changelog This PR is irrelevant for the (next) changelog, for example bug fixes for unreleased features. label Oct 3, 2025
wxiaoguang
wxiaoguang commented Oct 3, 2025
View reviewed changes
Comment thread cmd/admin_user_create.go
if err != nil {
return err
}
// codeql[disable-next-line=go/clear-text-logging]
Copy link
Copy Markdown
Contributor Author

@wxiaoguang wxiaoguang Oct 3, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's a shame that CodeQL doesn't support such inline-disabling. I was cheated by AI.

CodeQL is missing an inline mechanism to suppress warnings github/codeql#11427

Copy link
Copy Markdown
Member

@silverwind silverwind Oct 4, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Never blindly trust AI, always verify 😆

Copy link
Copy Markdown
Contributor Author

@wxiaoguang wxiaoguang Oct 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yup, I never blindly trust AI. But at the moment I don't have a way to test the CodeQL related changes locally. So after the merge, I checked the result immediately .....

If anyone knows to how to test CodeQL locally, please suggest. 🙏

Copy link
Copy Markdown
Member

@silverwind silverwind Oct 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It seems there is a codeql cli, but it requires some setup and a "database" being generated:

https://medium.com/@arjun_zs/codeql-cli-running-in-local-the-how-5817175300c6

Maybe we can add a make codeql that does it all.

rossigee pushed a commit to rossigee/gitea that referenced this pull request Oct 4, 2025
@wxiaoguang @rossigee
Address some CodeQL security concerns (go-gitea#35572)
2cab06f 
Although there is no real security problem
rossigee pushed a commit to rossigee/gitea that referenced this pull request Oct 4, 2025
@wxiaoguang @rossigee
Address some CodeQL security concerns (go-gitea#35572)
b04f209 
Although there is no real security problem
zjjhot added a commit to zjjhot/gitea that referenced this pull request Oct 5, 2025
@zjjhot
Merge remote-tracking branch 'giteaofficial/main'
06198a4 
* giteaofficial/main:
  fix: auto-expand and auto-scroll for actions logs (go-gitea#35570) (go-gitea#35583)
  [skip ci] Updated translations via Crowdin
  [skip ci] Updated translations via Crowdin
  Fix creating pull request failure when the target branch name is the same as some tag (go-gitea#35552)
  Use bundled version of spectral (go-gitea#35573)
  Add rebase push display wrong comments bug (go-gitea#35560)
  Address some CodeQL security concerns (go-gitea#35572)
  fix(webhook): prevent tag events from bypassing branch filters targets go-gitea#35449 (go-gitea#35567)
  Added button to copy file name in PR files (go-gitea#35509)
  Update JS and PY deps (go-gitea#35565)
  Enable a few more tsconfig options (go-gitea#35553)
  Bump github.com/wneessen/go-mail from 0.6.2 to 0.7.1 (go-gitea#35557)
  add more routes to the "expensive" list (go-gitea#35547)
  Drop json-iterator dependency (go-gitea#35544)
  Add proper error message if session provider can not be created (go-gitea#35520)
  use experimental go json v2 library (go-gitea#35392)
  Use global lock instead of status pool for cron lock (go-gitea#35507)
  Move some functions to gitrepo package (go-gitea#35503)
  Move GetDiverging functions to gitrepo (go-gitea#35524)
  [skip ci] Updated translations via Crowdin
@go-gitea go-gitea locked as resolved and limited conversation to collaborators Jan 1, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@silverwind silverwind silverwind approved these changes

@lunny lunny lunny approved these changes

Assignees

No one assigned

Labels

lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. skip-changelog This PR is irrelevant for the (next) changelog, for example bug fixes for unreleased features.

Projects

None yet

Milestone

1.26.0

Development

Successfully merging this pull request may close these issues.

4 participants

@wxiaoguang @lunny @silverwind @GiteaBot