Skip to content

Security hardening and code quality improvements#41

Merged
jongio merged 2 commits intomainfrom
mq
Mar 3, 2026
Merged

Security hardening and code quality improvements#41
jongio merged 2 commits intomainfrom
mq

Conversation

@jongio
Copy link
Owner

@jongio jongio commented Mar 2, 2026

MQ + Hack Analysis (Dual-Model: Opus 4.6 + Codex 5.3)

HIGH

  • MCP handlers bypass Key Vault resolution (CWE-522) — Added \prepareEnvironmentForMCP()\
  • Secret filtering denylist incomplete (CWE-532) — Added PAT, SAS, SIGNING, PRIVATE, PASSPHRASE, AUTH patterns
  • New() silently ignoring validation (CWE-754) — Changed signature to return error, updated 30+ callers

MEDIUM

  • Shell name case sensitivity (CWE-178) — Normalized to lowercase
  • Dead path traversal check (CWE-561) — Removed unreachable code
  • Deprecated build directives (CWE-477) — Replaced // +build\ with //go:build\

12 files changed, +260/-87 lines

@jongio
Security hardening and code quality improvements
494b0bf 
MQ + Hack dual-model analysis (Opus 4.6 + Codex 5.3) findings and fixes:

HIGH:
- MCP handlers bypass Key Vault secret resolution (CWE-522)
- Secret filtering denylist incomplete - added PAT, SAS, SIGNING, PRIVATE, PASSPHRASE, AUTH (CWE-532)
- New() silently ignoring validation errors - now returns error (CWE-754)

MEDIUM:
- Shell name case sensitivity causing fallback issues (CWE-178)
- Dead path traversal check removed (CWE-561)
- Deprecated // +build directives replaced with //go:build (CWE-477)

Changed New() signature to return error, updated 30+ callers.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
github-actions bot added a commit that referenced this pull request Mar 2, 2026
@github-actions
Deploy PR #41 preview
c262f87
@github-actions
Copy link
Contributor

github-actions bot commented Mar 2, 2026
edited
Loading

🚀 Website Preview

Your PR preview was available here.

Preview has been cleaned up as the PR was closed.

@github-actions
Copy link
Contributor

github-actions bot commented Mar 2, 2026
edited
Loading

🚀 Test This PR

A preview build (0.4.0-pr41) is ready for testing!

🌐 Website Preview

Live Preview: https://jongio.github.io/azd-exec/pr/41/

One-Line Install (Recommended)

PowerShell (Windows):

iex "& { $(irm https://raw.githubusercontent.com/jongio/azd-exec/main/cli/scripts/install-pr.ps1) } -PrNumber 41 -Version 0.4.0-pr41"

Bash (macOS/Linux):

curl -fsSL https://raw.githubusercontent.com/jongio/azd-exec/main/cli/scripts/install-pr.sh | bash -s 41 0.4.0-pr41

Uninstall

When you're done testing:

PowerShell (Windows):

iex "& { $(irm https://raw.githubusercontent.com/jongio/azd-exec/main/cli/scripts/uninstall-pr.ps1) } -PrNumber 41"

Bash (macOS/Linux):

curl -fsSL https://raw.githubusercontent.com/jongio/azd-exec/main/cli/scripts/uninstall-pr.sh | bash -s 41

Build Info:

What to Test:
Please review the PR description and test the changes described there.

@jongio
chore: update to azd-core v0.5.4 and azd-web-core 2.4.1
bd7438b 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
github-actions bot added a commit that referenced this pull request Mar 3, 2026
@github-actions
Deploy PR #41 preview
23a94f3
@jongio jongio merged commit 60695c9 into main Mar 3, 2026
15 checks passed
@jongio jongio deleted the mq branch March 3, 2026 15:48
github-actions bot added a commit that referenced this pull request Mar 3, 2026
@github-actions
Cleanup PR #41 preview
6c8163d
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jongio