From 6dbdfe50b9f0249b86f0b6593742a6265e7f4a77 Mon Sep 17 00:00:00 2001 From: David Sangrey Date: Sun, 28 Apr 2024 16:28:28 -0400 Subject: [PATCH 01/10] [Docs] Add CodeQL Workflow and Security Guide --- .github/SECURITY.md | 13 +++++ .github/pull_request_template.md | 18 ++++++ .github/workflows/codeql.yml | 96 ++++++++++++++++++++++++++++++++ 3 files changed, 127 insertions(+) create mode 100644 .github/SECURITY.md create mode 100644 .github/pull_request_template.md create mode 100644 .github/workflows/codeql.yml diff --git a/.github/SECURITY.md b/.github/SECURITY.md new file mode 100644 index 00000000..b8a0b244 --- /dev/null +++ b/.github/SECURITY.md @@ -0,0 +1,13 @@ +# Reporting Security Issues + +EDMC takes security very seriously. Our users trust us to provide a secure and safe tool to support their experience in Elite. + +In general, the best way to report a major security issue with us that should not be publically discussed is to email our maintainer teams. + +The best point of contact for this is rixxan@hullseals.space. When contacting, be sure to include as much information in your report. + +As soon as your report is processed, we'll get in touch to make sure we quickly move ahead with fixing the issue and will lay out a timeline for public disclosure and fixes. + +Another method of reporting vulnerabilities is to open a new Bug Report [here](https://github.com/EDCD/EDMarketConnector/issues/new?assignees=&labels=bug%2C+unconfirmed&projects=&template=bug_report.md&title=). + +If reporting a security issue here, do not include details as to the issue or steps to reproduce, simply indicate you have found a potential security bug and would like us to contact you directly. diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md new file mode 100644 index 00000000..0d1c9ac1 --- /dev/null +++ b/.github/pull_request_template.md @@ -0,0 +1,18 @@ + +# Description + + +# Example Images + + +# Type of Change + + +# How Tested + + +# Notes + diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 00000000..35a792fa --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,96 @@ +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# You may wish to alter this file to override the set of languages analyzed, +# or to provide custom queries or build logic. +# +# ******** NOTE ******** +# We have attempted to detect the languages in your repository. Please check +# the `language` matrix defined below to confirm you have the correct set of +# supported CodeQL languages. +# +name: "CodeQL" + +on: + push: + branches-ignore: + - 'main' + - 'stable' + - 'releases' + - 'beta' + pull_request: + branches: [ develop ] + schedule: + - cron: '38 5 * * 4' + +jobs: + analyze: + name: Analyze (${{ matrix.language }}) + # Runner size impacts CodeQL analysis time. To learn more, please see: + # - https://gh.io/recommended-hardware-resources-for-running-codeql + # - https://gh.io/supported-runners-and-hardware-resources + # - https://gh.io/using-larger-runners (GitHub.com only) + # Consider using larger runners or machines with greater resources for possible analysis time improvements. + runs-on: 'ubuntu-latest' + timeout-minutes: 360 + permissions: + # required for all workflows + security-events: write + + # required to fetch internal or private CodeQL packs + packages: read + + # only required for workflows in private repositories + actions: read + contents: read + + strategy: + fail-fast: false + matrix: + include: + - language: python + build-mode: none + # CodeQL supports the following values keywords for 'language': 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'swift' + # Use `c-cpp` to analyze code written in C, C++ or both + # Use 'java-kotlin' to analyze code written in Java, Kotlin or both + # Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both + # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis, + # see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning. + # If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how + # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: ${{ matrix.language }} + build-mode: ${{ matrix.build-mode }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + + # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs + # queries: security-extended,security-and-quality + + # If the analyze step fails for one of the languages you are analyzing with + # "We were unable to automatically build your code", modify the matrix above + # to set the build mode to "manual" for that language. Then modify this step + # to build your code. + # ℹī¸ Command-line programs to run using the OS shell. + # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun + - if: matrix.build-mode == 'manual' + run: | + echo 'If you are using a "manual" build mode for one or more of the' \ + 'languages you are analyzing, replace this with the commands to build' \ + 'your code, for example:' + echo ' make bootstrap' + echo ' make release' + exit 1 + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 + with: + category: "/language:${{matrix.language}}" From fc2426d8b989df6ca21507c03063ca1790ada266 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 1 May 2024 17:29:32 +0000 Subject: [PATCH 02/10] build(deps-dev): bump safety from 3.0.1 to 3.2.0 Bumps [safety](https://github.com/pyupio/safety) from 3.0.1 to 3.2.0. - [Release notes](https://github.com/pyupio/safety/releases) - [Changelog](https://github.com/pyupio/safety/blob/main/CHANGELOG.md) - [Commits](https://github.com/pyupio/safety/compare/3.0.1...3.2.0) --- updated-dependencies: - dependency-name: safety dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- requirements-dev.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements-dev.txt b/requirements-dev.txt index 41c3a928..42877907 100644 --- a/requirements-dev.txt +++ b/requirements-dev.txt @@ -20,7 +20,7 @@ flake8-use-fstring==1.4 mypy==1.9.0 pep8-naming==0.13.3 -safety==3.0.1 +safety==3.2.0 types-requests==2.31.0.20240311 types-pkg-resources==0.1.3 From 45cd577bec11d78caf309d750dfb8cca922a3417 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 1 May 2024 17:29:49 +0000 Subject: [PATCH 03/10] build(deps-dev): bump pytest-cov from 4.1.0 to 5.0.0 Bumps [pytest-cov](https://github.com/pytest-dev/pytest-cov) from 4.1.0 to 5.0.0. - [Changelog](https://github.com/pytest-dev/pytest-cov/blob/master/CHANGELOG.rst) - [Commits](https://github.com/pytest-dev/pytest-cov/compare/v4.1.0...v5.0.0) --- updated-dependencies: - dependency-name: pytest-cov dependency-type: direct:development update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- requirements-dev.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements-dev.txt b/requirements-dev.txt index 41c3a928..ef2728ca 100644 --- a/requirements-dev.txt +++ b/requirements-dev.txt @@ -39,7 +39,7 @@ py2exe==0.13.0.1; sys_platform == 'win32' # Testing pytest==8.1.1 -pytest-cov==4.1.0 # Pytest code coverage support +pytest-cov==5.0.0 # Pytest code coverage support coverage[toml]==7.4.4 # pytest-cov dep. This is here to ensure that it includes TOML support for pyproject.toml configs coverage-conditional-plugin==0.9.0 # For manipulating folder permissions and the like. From 9ce7206cae156247221d048e6e5c5f812ecc3929 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 1 May 2024 17:29:51 +0000 Subject: [PATCH 04/10] build(deps-dev): bump flake8-json from 23.7.0 to 24.4.0 Bumps [flake8-json](https://github.com/pycqa/flake8-json) from 23.7.0 to 24.4.0. - [Commits](https://github.com/pycqa/flake8-json/compare/23.7.0...24.4.0) --- updated-dependencies: - dependency-name: flake8-json dependency-type: direct:development update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- requirements-dev.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements-dev.txt b/requirements-dev.txt index 41c3a928..fdab1681 100644 --- a/requirements-dev.txt +++ b/requirements-dev.txt @@ -13,7 +13,7 @@ flake8-annotations-coverage==0.0.6 flake8-cognitive-complexity==0.1.0 flake8-comprehensions==3.14.0 flake8-docstrings==1.7.0 -flake8-json==23.7.0 +flake8-json==24.4.0 flake8-noqa==1.4.0 flake8-polyfill==1.0.2 flake8-use-fstring==1.4 From 53dd3e3ee5bd35e984007a6f063ecd437b2902f0 Mon Sep 17 00:00:00 2001 From: github-actions Date: Wed, 1 May 2024 17:31:06 +0000 Subject: [PATCH 05/10] updating submodules --- coriolis-data | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/coriolis-data b/coriolis-data index 05b16a4c..8adfd86b 160000 --- a/coriolis-data +++ b/coriolis-data @@ -1 +1 @@ -Subproject commit 05b16a4c716980ea95a46d29205f7d3b1f957fb4 +Subproject commit 8adfd86b64e8c14e873d2f5123d88ca6743420b9 From e60d0c8813192b3c0d5ec788c58c4eeb41329993 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 2 May 2024 00:04:43 +0000 Subject: [PATCH 06/10] build(deps-dev): bump coverage[toml] from 7.4.4 to 7.5.0 Bumps [coverage[toml]](https://github.com/nedbat/coveragepy) from 7.4.4 to 7.5.0. - [Release notes](https://github.com/nedbat/coveragepy/releases) - [Changelog](https://github.com/nedbat/coveragepy/blob/master/CHANGES.rst) - [Commits](https://github.com/nedbat/coveragepy/compare/7.4.4...7.5.0) --- updated-dependencies: - dependency-name: coverage[toml] dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- requirements-dev.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements-dev.txt b/requirements-dev.txt index ef2728ca..8446d00a 100644 --- a/requirements-dev.txt +++ b/requirements-dev.txt @@ -40,7 +40,7 @@ py2exe==0.13.0.1; sys_platform == 'win32' # Testing pytest==8.1.1 pytest-cov==5.0.0 # Pytest code coverage support -coverage[toml]==7.4.4 # pytest-cov dep. This is here to ensure that it includes TOML support for pyproject.toml configs +coverage[toml]==7.5.0 # pytest-cov dep. This is here to ensure that it includes TOML support for pyproject.toml configs coverage-conditional-plugin==0.9.0 # For manipulating folder permissions and the like. pywin32==306; sys_platform == 'win32' From 5cdf4b9ce3ff4bfa3e168bb79786b5fd728588e0 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 2 May 2024 00:07:11 +0000 Subject: [PATCH 07/10] build(deps-dev): bump pytest from 8.1.1 to 8.2.0 Bumps [pytest](https://github.com/pytest-dev/pytest) from 8.1.1 to 8.2.0. - [Release notes](https://github.com/pytest-dev/pytest/releases) - [Changelog](https://github.com/pytest-dev/pytest/blob/main/CHANGELOG.rst) - [Commits](https://github.com/pytest-dev/pytest/compare/8.1.1...8.2.0) --- updated-dependencies: - dependency-name: pytest dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- requirements-dev.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements-dev.txt b/requirements-dev.txt index 8446d00a..247f589e 100644 --- a/requirements-dev.txt +++ b/requirements-dev.txt @@ -38,7 +38,7 @@ grip==4.6.2 py2exe==0.13.0.1; sys_platform == 'win32' # Testing -pytest==8.1.1 +pytest==8.2.0 pytest-cov==5.0.0 # Pytest code coverage support coverage[toml]==7.5.0 # pytest-cov dep. This is here to ensure that it includes TOML support for pyproject.toml configs coverage-conditional-plugin==0.9.0 From 88bfd8ca8bb9b4f05efa6daf65120397ba7fef59 Mon Sep 17 00:00:00 2001 From: David Sangrey Date: Thu, 2 May 2024 15:02:43 -0400 Subject: [PATCH 08/10] [1268] Handover to Path.is_reserved() --- util_ships.py | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/util_ships.py b/util_ships.py index 8bbfd813..b2105106 100644 --- a/util_ships.py +++ b/util_ships.py @@ -5,18 +5,21 @@ Copyright (c) EDCD, All Rights Reserved Licensed under the GNU General Public License. See LICENSE file. """ +from pathlib import Path from edmc_data import ship_name_map def ship_file_name(ship_name: str, ship_type: str) -> str: """Return a ship name suitable for a filename.""" name = str(ship_name or ship_name_map.get(ship_type.lower(), ship_type)).strip() - if name.endswith('.'): - name = name[:-2] - if name.lower() in ('con', 'prn', 'aux', 'nul', - 'com0', 'com2', 'com3', 'com4', 'com5', 'com6', 'com7', 'com8', 'com9', - 'lpt0', 'lpt2', 'lpt3', 'lpt4', 'lpt5', 'lpt6', 'lpt7', 'lpt8', 'lpt9'): - name += '_' + # Handle suffix using Pathlib's with_suffix method + name = Path(name).with_suffix("").name - return name.translate({ord(x): '_' for x in ('\0', '<', '>', ':', '"', '/', '\\', '|', '?', '*')}) + # Check if the name is a reserved filename + if Path(name).is_reserved(): + name += "_" + + return name.translate( + {ord(x): "_" for x in ("\0", "<", ">", ":", '"', "/", "\\", "|", "?", "*")} + ) From 2469ca2132e374441fee435a9a9d233b91ca956d Mon Sep 17 00:00:00 2001 From: David Sangrey Date: Thu, 2 May 2024 20:11:07 -0400 Subject: [PATCH 09/10] [Minor] Correct Email Address --- .github/SECURITY.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/SECURITY.md b/.github/SECURITY.md index b8a0b244..a926715b 100644 --- a/.github/SECURITY.md +++ b/.github/SECURITY.md @@ -4,7 +4,7 @@ EDMC takes security very seriously. Our users trust us to provide a secure and s In general, the best way to report a major security issue with us that should not be publically discussed is to email our maintainer teams. -The best point of contact for this is rixxan@hullseals.space. When contacting, be sure to include as much information in your report. +The best point of contact for this is edmc@hullseals.space. When contacting, be sure to include as much information in your report. As soon as your report is processed, we'll get in touch to make sure we quickly move ahead with fixing the issue and will lay out a timeline for public disclosure and fixes. From 83fdaab61b7b472352c38d42a17af83c6e25297b Mon Sep 17 00:00:00 2001 From: David Sangrey Date: Thu, 2 May 2024 20:28:16 -0400 Subject: [PATCH 10/10] Update codeql.yml --- .github/workflows/codeql.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 35a792fa..a709c7dc 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -14,7 +14,6 @@ name: "CodeQL" on: push: branches-ignore: - - 'main' - 'stable' - 'releases' - 'beta'