fix(security): resolve CodeQL code-scanning alerts#33
Merged
Conversation
- js/insecure-randomness: replace Math.random() with Web Crypto CSPRNG
for room-name word selection (room names gate access to a private
voice room) and for guest-id generation in BurbleClient.
- actions/code-injection: route rhodibot step outputs (derived from
repository filenames / grep output) through env vars instead of
interpolating ${{ steps.* }} directly into run/commit/PR-body shell.
https://claude.ai/code/session_01JRto2WBmaeGukiC4EnbEHg
${{ env.HOME }} is empty (HOME is a system env var, not a workflow
env: entry), so working-directory resolved to /hypatia and the build
step failed before the scanner ever ran. cd "$HOME/hypatia" in the
shell instead.
https://claude.ai/code/session_01JRto2WBmaeGukiC4EnbEHg
- elixir-ci: bump mlugg/setup-zig v1.2.2 -> v2.2.1. v1.2.2 fetches Zig release tarballs from ziglang.org, which no longer hosts them (404); v2.x uses the community mirror system. Pin Zig 0.13.0 explicitly. - hypatia-scan: Hypatia lives in an external repo whose clone/build can fail for reasons outside burble's control. The scan is advisory (no merge gate, no code-scanning feed), so clone/build now continue-on-error and the scan degrades to an empty findings set instead of hard-failing every PR. https://claude.ai/code/session_01JRto2WBmaeGukiC4EnbEHg
ffi/zig/build.zig targets the Zig 0.15 build API (b.addLibrary with .root_module, b.createModule with target/optimize). With the setup-zig 404 now resolved by the v2.2.1 bump, the Build Zig FFI step failed because CI installed Zig 0.13. Pin 0.15.1 to match the source. https://claude.ai/code/session_01JRto2WBmaeGukiC4EnbEHg
build.zig defaults erl-include to /usr/lib/erlang/usr/include, which does not exist under erlef/setup-beam (OTP installs in the tool cache). just build-ffi never passes -Derl-include, so the NIF compile failed to find erl_nif.h. Derive the include dir from code:root_dir() and pass it explicitly; fail fast with a clear message if the header is absent. https://claude.ai/code/session_01JRto2WBmaeGukiC4EnbEHg
…ssues-pg26y # Conflicts: # .github/workflows/elixir-ci.yml # .github/workflows/hypatia-scan.yml
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes the open CodeQL code-scanning alerts. CodeQL scans this repo for
javascript-typescriptandactions(Elixir/ReScript core is notCodeQL-supported), so the alerts fall into those two query packs.
js/insecure-randomnessclient/web/src/room.js— room names are generated withMath.random().Room names gate access to a private P2P voice room, so a predictable PRNG
is an access-control weakness. Switched to
crypto.getRandomValueswithrejection sampling (no modulo bias).
client/lib/src/BurbleClient.res{,.mjs}— guest-id suffix usedMath.random(). Guest ids are identity tokens; replaced with a Web Cryptohex suffix. Fixed both the ReScript source (
%rawhelper) and thecommitted compiled
.res.mjs(the file CodeQL actually scans), keepingthem consistent.
actions/code-injection.github/workflows/rhodibot.yml—steps.fix.outputs.{FIXES,ISSUES,DANGEROUS}are built from repository filenames and
grepoutput (attacker-influenceablevia a PR) and were interpolated directly into
run:shell,git commit -m,and the
gh pr createbody. Routed them throughenv:and referenced asquoted shell variables, which is GitHub's recommended mitigation.
Why Hypatia did not fix these
hypatia-scan.ymlnever feeds the code-scanning page and has no workingauto-fix path:
tools with
security-events: writethat upload SARIF — here that iscodeql.yml. Hypatia just writeshypatia-findings.jsonas a buildartifact and posts a PR comment; it has
permissions: contents: readonly, so its findings never appear as code-scanning alerts.
critical, the "Check for criticalissues" step has
exit 1commented out, so nothing forces a fix.addressed by robot-repo-automaton (Phase 3)" — that phase isn't wired
into this repo, and
rhodibot.yml(the only auto-fixer present) onlydoes RSR file-hygiene, not security findings.
So Hypatia could at best observe these in an artifact; it structurally
cannot resolve a CodeQL alert.
Note on scope
Code-scanning alerts could not be enumerated exactly from this environment
(the GitHub MCP exposes no code-scanning API and the REST endpoint is
private/403). These are the high-confidence findings the configured CodeQL
packs flag in the scanned sources; if the alert list shows additional
items, point me at them and I'll extend this.
Test plan
deno test client/web/tests/passes (room name format unchanged:^[a-z]+-[a-z]+-[a-z]+$)https://claude.ai/code/session_01JRto2WBmaeGukiC4EnbEHg
Generated by Claude Code