You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+52-25Lines changed: 52 additions & 25 deletions
Original file line number
Diff line number
Diff line change
@@ -16,46 +16,73 @@ _Ensuring the security of application source code is a critical step in modern s
16
16
</header>
17
17
18
18
<!--
19
-
<<< Author notes: Step 3 >>>
19
+
<<< Author notes: Step 4 >>>
20
20
Start this step by acknowledging the previous step.
21
21
Define terms and link to docs.github.com.
22
-
TBD-step-3-notes.
22
+
TBD-step-4-notes.
23
23
-->
24
24
25
-
## Step 3: Fix Security Vulnerabilities
25
+
## Step 4: Prevent Vulnerabilities in the Pull Request
26
26
27
-
_Nice work finishing Step 2: Reviewing and Triaging CodeQL Alerts :sparkles:_
27
+
_Nicely done! You finished Step 3: Fix Security Vulnerabilites! :partying_face:_
28
+
29
+
Way to go! You made it this far. We're almost done! The last step is to test out the pull request integration with CodeQL. In this step, we will add a vulnerability back into the `routes.py` file to trigger an alert for a SQL injection vulnerability. This is going to be the same issue initially saw.
30
+
31
+
Our goal is to understand what developers experience when they find a new vulnerability.
32
+
33
+
In this step, we will:
34
+
- edit the `routes.py` file.
35
+
- change the SQL statement to make it insecure.
36
+
- commit those changes and merge the insecure code into the main branch.
37
+
- experience the alert inside the pull request.
28
38
29
-
In this step, we will work to fix the existing security vulnerabilities already identified by CodeQL. Remember, at this point, we have introduced CodeQL into our repository and had it scan the existing code. The vulnerabilities it found are real-world issues, and they need to be fixed! We'll fix this issue by editing the `/server/routes.py` file.
39
+
Let's get started 👍
30
40
31
-
### :keyboard: Activity 1: Review alerts
32
-
First, before we fix these alerts, we need to make sure the alerts are still open. We'll also need to gather information on which files to fix and how best to fix them.
41
+
**What is pull request**: Pull requests are proposed changes to a repository submitted by a user and accepted or rejected by a repository's collaborators. This allows multiple people to work on the same code at the same time. For more information, check out the GitHub Skills course "[Introduction to GitHub](https://github.com/skills/introduction-to-github)" or "[About pull requests](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/about-pull-requests)" from the GitHub docs.
33
42
34
-
1. Navigate to your code scanning alerts page: **Security** > **Code scanning**.
35
-
1. You should see two alerts listed as "**Open**". If any of the alerts are listed as "**Closed**", open the alert page and choose **Reopen alert**.
43
+
**What is branch**: A branch is a parallel version of your repository. By default, your repository has one branch named main and it is considered to be the definitive branch. Creating additional branches allows you to copy the main branch of your repository and safely make any changes without disrupting the main project. For more information, see "[About branches](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/about-branches#)" in the GitHub docs.
36
44
37
-
Now that both of these alerts are open, let's fix them. If you look at the alerts, they both call out one specific file containing the issues: `server/routes.py`. The issue is in crafting the SQL query for the database. These queries are vulnerable to SQL injection attacks. We should rewrite these SQL statements more securely.
38
-
39
-
If you expand the **More info** section at the bottom of the alert, there are very clear suggestions to fix this query. We're going to implement those suggestions in the next activity.
45
+
### :keyboard: Activity 1: Edit `routes.py` and create a new pull request
40
46
41
-
### :keyboard: Activity 2: Edit routes.py
42
-
We now know where the issues exist and how to fix them. We'll start by modifying the file `routes.py`. Again, you'll want to do these next steps in a separate browser window or tab.
47
+
In this first activity, we'll introduce the same insecure SQL statement from before to the `routes.py` file. Once we update the file, we'll commit it to a new branch, then create a pull request.
48
+
49
+
1. Click the **Code** tab in your repository.
50
+
2. Select the `server` folder.
51
+
3. Select the `routes.py` file.
52
+
4. Click the **Edit** button to the right.
53
+
54
+
43
55
44
-
1. Click the **Code** tab in your repository.
45
-
2. Select the `server` folder.
46
-
3. Select the `routes.py` file.
47
-
4. Click the **Edit** button to the right.
56
+
5. Edit line 16 by highlighting the SQL statement and replace it with this text: `"SELECT * FROM books WHERE name LIKE '%" + name + "%'"`.
57
+
6. Click **Commit changes...** from the top right. The "Propose changes" window will pop up.
58
+
7. This time, select the radio button next to **Create a new branch**. You can create a new name for this branch or leave it as the default suggestion.
59
+
8. Click **Propose changes**. This opens a new pull request.
60
+
9. In the "Open a pull request" window, click **Create pull request**.
48
61
49
-
62
+
63
+
### :keyboard: Activity 2: Review pull request
64
+
65
+
At this point, we've edited the file `routes.py` to add our vulnerable code, committed those changes to our new branch, and created a pull request to merge the new branch into our `main` branch. These are the same steps a developer would take to introduce new, vulnerable code into a repository.
50
66
51
-
5. Edit line 16 by highlighting the SQL statement and replace it with this text: `"SELECT * FROM books WHERE name LIKE %s", name`.
67
+
Now, let's take a look at the pull request to see what the experience is like.
52
68
53
-
6. Edit line 22 to replace the SQL statement with this text: `"SELECT * FROM books WHERE author LIKE %s", author`.
69
+
1. In the previous activity, we created the pull request. After creating the pull request, you were brought directly to the pull request page. At the bottom of the pull request, you will see a check called "Code scanning/CodeQL". This is the CodeQL analysis job scanning the code introduced in the pull request.
70
+
71
+
72
+
73
+
2. Once the check is complete, you will see a new comment in the pull request from CodeQL indicating a new security vulnerability; a SQL query built from user-controlled data. This is our SQL injection vulnerability.
3. Review the data flow paths by clicking **Show paths**.
54
78
55
-
7. Click **Commit changes...** from the top right. The "Propose changes" window will pop up. Leave the defaults configured, and click **Commit changes** again.
56
-
8. CodeQL will now initiate a new scan. Check the status of that scan by navigating to **Actions** then choose the **CodeQL** action. Once the scan job completes, Actions will display a green check next to the last run.
57
-
9. Once that CodeQL scan is done, navigate to **Security** > **Code scanning** to review the alerts. You should have zero open alerts and two closed alerts 🎉. Feel free to review the closed alerts, especially the audit trail.
58
-
10. Wait about 20 seconds then refresh this page (the one you're following instructions from). [GitHub Actions](https://docs.github.com/en/actions) will automatically update to the next step.
79
+
4. If you would like, add a comment and tag one of your friends by using their GitHub handle (example: `@username`). This will notify them that you made a comment on the issue and need their help solving the problem. 😄
80
+
81
+
If this were a real-world situation, the developer would fix the SQL statement in their branch. Once fixed, the vulnerability will automatically close out.
82
+
83
+
If you would like to learn more about pull request integrations for code scanning, see "[Triaging code scanning alerts in pull requests](https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/triaging-code-scanning-alerts-in-pull-requests)."
84
+
85
+
5. Wait about 20 seconds then refresh this page (the one you're following instructions from). [GitHub Actions](https://docs.github.com/en/actions) will automatically update to the next step.
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?v=4&size=40){kind=avatar}
0 commit comments