attune-system/attune
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

addressing some semgrep issues

Browse Source
This commit is contained in:
David Culbreth
2026-04-01 19:27:37 -05:00
parent 4b525f4641
commit b342005e17
27 changed files with 776 additions and 60 deletions
Download Patch File Download Diff File Expand all files Collapse all files

118
semgrep-findings.md Normal file
View File

@@ -0,0 +1,118 @@
┌──────────────────┐
│ 14 Code Findings │
└──────────────────┘
 crates/cli/src/commands/pack.rs
❯❯❱ rust.actix.path-traversal.tainted-path.tainted-path
❰❰ Blocking ❱❱
The application builds a file path from potentially untrusted data, which can lead to a path
traversal vulnerability. An attacker can manipulate the path which the application uses to access
files. If the application does not validate user input and sanitize file paths, sensitive files such
as configuration or user data can be accessed, potentially creating or overwriting files. To prevent
this vulnerability, validate and sanitize any input that is used to create references to file paths.
Also, enforce strict file access controls. For example, choose privileges allowing public-facing
applications to access only the required files.
Details: https://sg.run/YWX5
861┆ std::fs::read_to_string(&pack_yaml_path).context("Failed to read pack.yaml")?;
 crates/cli/src/commands/workflow.rs
❯❯❱ rust.actix.path-traversal.tainted-path.tainted-path
❰❰ Blocking ❱❱
The application builds a file path from potentially untrusted data, which can lead to a path
traversal vulnerability. An attacker can manipulate the path which the application uses to access
files. If the application does not validate user input and sanitize file paths, sensitive files such
as configuration or user data can be accessed, potentially creating or overwriting files. To prevent
this vulnerability, validate and sanitize any input that is used to create references to file paths.
Also, enforce strict file access controls. For example, choose privileges allowing public-facing
applications to access only the required files.
Details: https://sg.run/YWX5
188┆ std::fs::read_to_string(action_path).context("Failed to read action YAML file")?;
⋮┆----------------------------------------
223┆ std::fs::read_to_string(&workflow_path).context("Failed to read workflow YAML file")?;
 crates/cli/src/wait.rs
❯❯❱ javascript.lang.security.detect-insecure-websocket.detect-insecure-websocket
❰❰ Blocking ❱❱
Insecure WebSocket Detected. WebSocket Secure (wss) should be used for all WebSocket connections.
Details: https://sg.run/GWyz
483┆ /// - `http://api.example.com:9000``ws://api.example.com:8081`
⋮┆----------------------------------------
525┆ Some("ws://api.example.com:8081".to_string())
⋮┆----------------------------------------
529┆ Some("ws://10.0.0.5:8081".to_string())
 crates/common/src/pack_environment.rs
❯❯❱ rust.actix.path-traversal.tainted-path.tainted-path
❰❰ Blocking ❱❱
The application builds a file path from potentially untrusted data, which can lead to a path
traversal vulnerability. An attacker can manipulate the path which the application uses to access
files. If the application does not validate user input and sanitize file paths, sensitive files such
as configuration or user data can be accessed, potentially creating or overwriting files. To prevent
this vulnerability, validate and sanitize any input that is used to create references to file paths.
Also, enforce strict file access controls. For example, choose privileges allowing public-facing
applications to access only the required files.
Details: https://sg.run/YWX5
694┆ Path::new(env_path),
⋮┆----------------------------------------
812┆ return Ok(PathBuf::from(validated).exists());
 crates/common/src/pack_registry/installer.rs
❯❯❱ rust.actix.ssrf.reqwest-taint.reqwest-taint
❰❰ Blocking ❱❱
Untrusted input might be used to build an HTTP request, which can lead to a Server-side request
forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side
to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and,
in some cases, allow the attacker to control applications or systems that trust the vulnerable
service. To prevent this vulnerability, avoid allowing user input to craft the base request.
Instead, treat it as part of the path or query parameter and encode it appropriately. When user
input is necessary to prepare the HTTP request, perform strict input validation. Additionally,
whenever possible, use allowlists to only interact with expected, trusted domains.
Details: https://sg.run/6D5Y
428┆ .get(parsed_url.clone())
 crates/worker/src/artifacts.rs
❯❯❱ rust.actix.path-traversal.tainted-path.tainted-path
❰❰ Blocking ❱❱
The application builds a file path from potentially untrusted data, which can lead to a path
traversal vulnerability. An attacker can manipulate the path which the application uses to access
files. If the application does not validate user input and sanitize file paths, sensitive files such
as configuration or user data can be accessed, potentially creating or overwriting files. To prevent
this vulnerability, validate and sanitize any input that is used to create references to file paths.
Also, enforce strict file access controls. For example, choose privileges allowing public-facing
applications to access only the required files.
Details: https://sg.run/YWX5
89┆ let mut file = fs::File::create(&stdout_path)
⋮┆----------------------------------------
123┆ let mut file = fs::File::create(&stderr_path)
⋮┆----------------------------------------
171┆ let mut file = fs::File::create(&result_path)
⋮┆----------------------------------------
217┆ let mut file = fs::File::create(&file_path)
 crates/worker/src/service.rs
❯❯❱ rust.actix.path-traversal.tainted-path.tainted-path
❰❰ Blocking ❱❱
The application builds a file path from potentially untrusted data, which can lead to a path
traversal vulnerability. An attacker can manipulate the path which the application uses to access
files. If the application does not validate user input and sanitize file paths, sensitive files such
as configuration or user data can be accessed, potentially creating or overwriting files. To prevent
this vulnerability, validate and sanitize any input that is used to create references to file paths.
Also, enforce strict file access controls. For example, choose privileges allowing public-facing
applications to access only the required files.
Details: https://sg.run/YWX5
176┆ config
177┆ .worker
178┆ .as_ref()
179┆ .and_then(|w| w.name.clone())
180┆ .map(|name| format!("/tmp/attune/artifacts/{}", name))
181┆ .unwrap_or_else(|| "/tmp/attune/artifacts".to_string()),