Skip to content

Refactor #290

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 18 commits into
base: main
Choose a base branch
from
Open

Refactor #290

wants to merge 18 commits into from

Conversation

@kshmidt-digma
Copy link
Contributor

@kshmidt-digma kshmidt-digma commented Aug 5, 2025

No description provided.

github-advanced-security[bot]
github-advanced-security bot found potential problems Aug 5, 2025
View reviewed changes
src/api/DigmaApiClient.ts
this.instance = axios.create({
baseURL,
httpsAgent: new https.Agent({
rejectUnauthorized: false

Check failure

Code scanning / CodeQL

Disabling certificate validation High

Disabling certificate validation is strongly discouraged.

Copilot Autofix

AI 4 months ago

To fix the problem, the rejectUnauthorized: false option should be removed or set to true (the default). This will ensure that HTTPS requests made by the Axios client will validate server certificates, protecting against man-in-the-middle attacks. The best way to fix this is to remove the httpsAgent option entirely if there is no need for custom agent configuration, or to set rejectUnauthorized: true if a custom agent is still required for other reasons. The change should be made in the constructor of DigmaApiClient, specifically on lines 27–29 of src/api/DigmaApiClient.ts.

Suggested changeset 1
src/api/DigmaApiClient.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/src/api/DigmaApiClient.ts b/src/api/DigmaApiClient.ts
--- a/src/api/DigmaApiClient.ts
+++ b/src/api/DigmaApiClient.ts
@@ -26,5 +26,2 @@
       baseURL,
-      httpsAgent: new https.Agent({
-        rejectUnauthorized: false
-      }),
       headers: {
EOF
@@ -26,5 +26,2 @@
baseURL,
httpsAgent: new https.Agent({
rejectUnauthorized: false
}),
headers: {
Copilot is powered by AI and may make mistakes. Always verify output.
src/api/services/AgenticService.ts
Comment on lines +10 to +12
const response = await this.client.client.get<GetIncidentResponse>(
this.getUrl(`incidents/${data.id}`)
);

Check failure

Code scanning / CodeQL

Server-side request forgery Critical

The
URL
Loading
of this request depends on a
user-provided value
Loading
.

Copilot Autofix

AI 4 months ago

To fix this SSRF vulnerability, we should validate and sanitize the incidentId parameter before using it to construct the outgoing request URL. The best approach is to enforce a strict allow-list of acceptable formats for incidentId. If incidentId is expected to be a UUID, we should check that it matches a UUID regex. If it is a numeric ID, we should check that it is a number. This validation should be performed as close as possible to the entry point of the tainted data, ideally in attachIncidentFileToChatContext in src/uris/handlers/context.ts, before passing the value to the API client. If the value does not match the expected format, we should throw an error or reject the request.

Required changes:

  • In src/uris/handlers/context.ts, add validation for incidentId at the start of attachIncidentFileToChatContext.
  • If the value is invalid, throw an error.
  • No new imports are needed if we use a simple regex.
Suggested changeset 1
src/uris/handlers/context.ts
Outside changed files

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/src/uris/handlers/context.ts b/src/uris/handlers/context.ts
--- a/src/uris/handlers/context.ts
+++ b/src/uris/handlers/context.ts
@@ -9,2 +9,7 @@
 export const attachIncidentFileToChatContext = async (incidentId: string) => {
+  // Validate incidentId: allow only UUIDs (adjust regex as needed for your format)
+  const uuidRegex = /^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/i;
+  if (!uuidRegex.test(incidentId)) {
+    throw new Error("Invalid incidentId format");
+  }
   try {
EOF
@@ -9,2 +9,7 @@
export const attachIncidentFileToChatContext = async (incidentId: string) => {
// Validate incidentId: allow only UUIDs (adjust regex as needed for your format)
const uuidRegex = /^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/i;
if (!uuidRegex.test(incidentId)) {
throw new Error("Invalid incidentId format");
}
try {
Copilot is powered by AI and may make mistakes. Always verify output.
src/uris/handlers/context.ts
const filePath = path.join(tempDir, fileName);
const content = JSON.stringify(incidentData, null, 2);

fs.writeFileSync(filePath, content, "utf8");

Check failure

Code scanning / CodeQL

Uncontrolled data used in path expression High

This path depends on a
user-provided value
Loading
.

Copilot Autofix

AI 4 months ago

To fix the problem, we need to ensure that the incidentId value cannot be used to perform path traversal or inject special characters into the filename. The best way to do this is to sanitize the incidentId before using it in the filename. We can use the well-known sanitize-filename npm package to remove any potentially dangerous characters from the incidentId. This will ensure that the resulting filename is safe and cannot be used to escape the intended directory. The changes should be made in src/uris/handlers/context.ts, specifically where the filename is constructed. We will need to import sanitize-filename and apply it to incidentId before using it in the filename.

Suggested changeset 2
src/uris/handlers/context.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/src/uris/handlers/context.ts b/src/uris/handlers/context.ts
--- a/src/uris/handlers/context.ts
+++ b/src/uris/handlers/context.ts
@@ -5,2 +5,3 @@
 import vscode from "vscode";
+import sanitizeFilename from "sanitize-filename";
 import { getDigmaClient } from "../../extension";
@@ -15,3 +16,4 @@
     const tempDir = os.tmpdir();
-    const fileName = `incident-${incidentId}-${formatISO(new Date(), {
+    const safeIncidentId = sanitizeFilename(incidentId);
+    const fileName = `incident-${safeIncidentId}-${formatISO(new Date(), {
       format: "basic"
EOF
@@ -5,2 +5,3 @@
import vscode from "vscode";
import sanitizeFilename from "sanitize-filename";
import { getDigmaClient } from "../../extension";
@@ -15,3 +16,4 @@
const tempDir = os.tmpdir();
const fileName = `incident-${incidentId}-${formatISO(new Date(), {
const safeIncidentId = sanitizeFilename(incidentId);
const fileName = `incident-${safeIncidentId}-${formatISO(new Date(), {
format: "basic"
package.json
Outside changed files

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/package.json b/package.json
--- a/package.json
+++ b/package.json
@@ -161,3 +161,4 @@
     "husky": "^9.1.7",
-    "path-to-regexp": "^8.2.0"
+    "path-to-regexp": "^8.2.0",
+    "sanitize-filename": "^1.6.3"
   }
EOF
@@ -161,3 +161,4 @@
"husky": "^9.1.7",
"path-to-regexp": "^8.2.0"
"path-to-regexp": "^8.2.0",
"sanitize-filename": "^1.6.3"
}
This fix introduces these dependencies
Package Version Security advisories
sanitize-filename (npm) 1.6.3 None
Copilot is powered by AI and may make mistakes. Always verify output.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@kshmidt-digma