Skip to content

ROVER-245 Extra error handling when initialising stream

Apollo SecOps / Static App Security Check completed Dec 20, 2024 in 24s

Static App Security Check

🟡 Potential Security Issues Found

If you are seeing this message, it means that the security scanning tool that Apollo uses to test our source has identified a potential security issue in code introduced or updated via your branch. Information about what was detected and steps to move forward are below.

If the scanner detected a legitimate issue, please take action to correct it prior to merging this PR. The action required will vary based on the detection. If the detection is a false positive, please follow the steps below to resolve the issue.

Issue Detected

Message Caused CI Failure? Link Path Signature
temp_dir should not be used for security operations. From the docs: 'The temporary directory may be shared among users, or between processes with different privileges; thus, the creation of any files or directories in the temporary directory must use a secure method to create a uniquely named file. Creating a file or directory with a fixed or predictable name may result in “insecure temporary file” security vulnerabilities.' No Link src/command/lsp/mod.rs rules.providers.semgrep.security.rust.lang.security.temp-dir

False Positive Resolution Process

The easiest way to resolve a false positive is to add a comment containing nosemgrep to the code that triggered the detection. You can add the comment directly to the line triggering the detection or on the line immediately above it. For example:

#!/usr/bin/env python3

def my_function():
    my_code_generating_detection() # nosemgrep

What if I can't add a line comment?

If you can't add a comment because the detection is generated by a file that does not support comments (like JSON), you can use Semgrep's .semgrepignore file. For more information about how to create an exclusion via .semgrepignore, refer to the Semgrep documentation.

Getting Help

The Apollo Security team is available to assist in resolving this issue. Please tag us on this PR using @apollographql/security if you need assistance!

How do I know I fixed this correctly?

 You will need to resolve all items in the table above that "Caused CI Failure" prior to merging. Once you have, this check will stop reporting an ❌. We encourage you to resolve issues that aren't causing CI failures as well, but it is not required to merge.

Annotations

Check notice on line 332 in src/command/lsp/mod.rs

See this annotation in the file changed.

@apollo-secops apollo-secops / Static App Security Check

rules.providers.semgrep.security.rust.lang.security.temp-dir 

temp_dir should not be used for security operations.
From the docs: 'The temporary directory may be shared among users, or between processes with different privileges; thus, the creation of any files or directories in the temporary directory must use a secure method to create a uniquely named file.
Creating a file or directory with a fixed or predictable name may result in “insecure temporary file” security vulnerabilities.'
View more details on Apollo SecOps