Skip to content

Security hardening and code quality improvements#41

Open
jongio wants to merge 1 commit intomainfrom
mq
Open

Security hardening and code quality improvements#41
jongio wants to merge 1 commit intomainfrom
mq

Conversation

@jongio
Copy link
Owner

@jongio jongio commented Mar 2, 2026

MQ + Hack Analysis (Dual-Model: Opus 4.6 + Codex 5.3)

HIGH

  • MCP handlers bypass Key Vault resolution (CWE-522) — Added \prepareEnvironmentForMCP()\
  • Secret filtering denylist incomplete (CWE-532) — Added PAT, SAS, SIGNING, PRIVATE, PASSPHRASE, AUTH patterns
  • New() silently ignoring validation (CWE-754) — Changed signature to return error, updated 30+ callers

MEDIUM

  • Shell name case sensitivity (CWE-178) — Normalized to lowercase
  • Dead path traversal check (CWE-561) — Removed unreachable code
  • Deprecated build directives (CWE-477) — Replaced // +build\ with //go:build\

12 files changed, +260/-87 lines

@jongio
Security hardening and code quality improvements
494b0bf 
MQ + Hack dual-model analysis (Opus 4.6 + Codex 5.3) findings and fixes:

HIGH:
- MCP handlers bypass Key Vault secret resolution (CWE-522)
- Secret filtering denylist incomplete - added PAT, SAS, SIGNING, PRIVATE, PASSPHRASE, AUTH (CWE-532)
- New() silently ignoring validation errors - now returns error (CWE-754)

MEDIUM:
- Shell name case sensitivity causing fallback issues (CWE-178)
- Dead path traversal check removed (CWE-561)
- Deprecated // +build directives replaced with //go:build (CWE-477)

Changed New() signature to return error, updated 30+ callers.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
github-actions bot added a commit that referenced this pull request Mar 2, 2026
@github-actions
Deploy PR #41 preview
c262f87
@github-actions
Copy link
Contributor

github-actions bot commented Mar 2, 2026

🚀 Website Preview

Your PR preview is ready!

📎 Preview URL: https://jongio.github.io/azd-exec/pr/41/

This preview will be automatically cleaned up when the PR is closed.

@github-actions
Copy link
Contributor

github-actions bot commented Mar 2, 2026

🚀 Test This PR

A preview build (0.4.0-pr41) is ready for testing!

🌐 Website Preview

Live Preview: https://jongio.github.io/azd-exec/pr/41/

One-Line Install (Recommended)

PowerShell (Windows):

iex "& { $(irm https://raw.githubusercontent.com/jongio/azd-exec/main/cli/scripts/install-pr.ps1) } -PrNumber 41 -Version 0.4.0-pr41"

Bash (macOS/Linux):

curl -fsSL https://raw.githubusercontent.com/jongio/azd-exec/main/cli/scripts/install-pr.sh | bash -s 41 0.4.0-pr41

Uninstall

When you're done testing:

PowerShell (Windows):

iex "& { $(irm https://raw.githubusercontent.com/jongio/azd-exec/main/cli/scripts/uninstall-pr.ps1) } -PrNumber 41"

Bash (macOS/Linux):

curl -fsSL https://raw.githubusercontent.com/jongio/azd-exec/main/cli/scripts/uninstall-pr.sh | bash -s 41

Build Info:

What to Test:
Please review the PR description and test the changes described there.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jongio