search

qonto / prometheus-rds-exporter

Prometheus exporter for AWS RDS
MIT License
62 stars 10 forks source link

Ignore false postive alert for homepage #115

Closed vmercierfr closed 7 months ago

vmercierfr commented 7 months ago

Objective

Ignore false postive alert for homepage

Why

Semgrep is reporting go.lang.security.audit.xss.no-direct-write-to-responsewriter.no-direct-write-to-responsewriter alert:

┌────────────────┐
│ 1 Code Finding │
└────────────────┘

    internal/infra/http/homepage.go 
    ❯❱ go.lang.security.audit.xss.no-direct-write-to-responsewriter.no-direct-write-to-responsewriter
          Detected directly writing or similar in 'http.ResponseWriter.write()'. This bypasses HTML escaping
          that prevents cross-site scripting vulnerabilities. Instead, use the 'html/template' package and  
          render data using 'template.Execute()'.                                                           
          Details: https://sg.run/EkbA                                                                      

           56┆ _, _ = w.Write(h.content)

We fixed it in https://github.com/qonto/prometheus-rds-exporter/pull/112, but alert is sill reported.

Homepage HTMP content is escaped by html/template during initialisation.

An alternative might be to use the template.Execute() in the HTTP handler , but it will be calculated for each call, which doesn't make sense for this home page.

How

Release plan

vmercierfr commented 7 months ago

sre

github-actions[bot] commented 7 months ago

Code Coverage

Package Line Rate Health
github.com/qonto/prometheus-rds-exporter/internal/app/cloudwatch 88%
github.com/qonto/prometheus-rds-exporter/internal/app/ec2 88%
github.com/qonto/prometheus-rds-exporter/internal/app/exporter 80%
github.com/qonto/prometheus-rds-exporter/internal/app/rds 80%
github.com/qonto/prometheus-rds-exporter/internal/app/servicequotas 51%
github.com/qonto/prometheus-rds-exporter/internal/app/unit 100%
Summary 81% (939 / 1157)

Minimum allowed line rate is 60%