search

brave / security-action

Composite GitHub CI Action containing the minimal viable security lint for brave repositories
Mozilla Public License 2.0
17 stars 7 forks source link

False positive `GURL original...` v. `GURL origin` #450

Open fmarier opened 11 months ago

fmarier commented 11 months ago

Reference: https://github.com/brave/brave-core/pull/21255#discussion_r1430739970

False positive on this line: https://github.com/brave/security-action/blob/10b0d57eaf6d8739e510c1018fc372f7329e86eb/assets/semgrep_rules/client/chromium-insecure-gurl.yaml#L14

GURL original_url; matches origin whereas for this rule we really meant to match GURL origin;

Proposed Solution

thypon commented 9 months ago

@fmarier is this still worth implementing?

fmarier commented 9 months ago

I think so, GURL original_url is definitely okay and doesn't need to be flagged by the GURL origin rule.