Ensuring the security of application source code is a critical step in modern software development. In this GitHub Skills course, you will learn to use GitHub code scanning to identify, resolve, and prevent insecure coding patterns.
Nicely done! You finished Step 3: Fix Security Vulnerabilites! 🥳
Way to go! You made it this far. We're almost done! The last step is to test out the pull request integration with CodeQL. In this step, we will add a vulnerability back into the routes.py file to trigger an alert for a SQL injection vulnerability. This is going to be the same issue initially saw.
Our goal is to understand what developers experience when they find a new vulnerability.
In this step, we will:
- edit the
routes.pyfile. - change the SQL statement to make it insecure.
- commit those changes and merge the insecure code into the main branch.
- experience the alert inside the pull request.
Let's get started 👍
What is pull request: Pull requests are proposed changes to a repository submitted by a user and accepted or rejected by a repository's collaborators. This allows multiple people to work on the same code at the same time. For more information, check out the GitHub Skills course "Introduction to GitHub" or "About pull requests" from the GitHub docs.
What is branch: A branch is a parallel version of your repository. By default, your repository has one branch named main and it is considered to be the definitive branch. Creating additional branches allows you to copy the main branch of your repository and safely make any changes without disrupting the main project. For more information, see "About branches" in the GitHub docs.
In this first activity, we'll introduce the same insecure SQL statement from before to the routes.py file. Once we update the file, we'll commit it to a new branch, then create a pull request.
- Click the Code tab in your repository.
- Select the
serverfolder. - Select the
routes.pyfile. - Click the Edit button to the right.
- Edit line 16 by highlighting the SQL statement and replace it with this text:
"SELECT * FROM books WHERE name LIKE '%" + name + "%'". - Click Commit changes... from the top right. The "Propose changes" window will pop up.
- This time, select the radio button next to Create a new branch. You can create a new name for this branch or leave it as the default suggestion.
- Click Propose changes. This opens a new pull request.
- In the "Open a pull request" window, click Create pull request.
At this point, we've edited the file routes.py to add our vulnerable code, committed those changes to our new branch, and created a pull request to merge the new branch into our main branch. These are the same steps a developer would take to introduce new, vulnerable code into a repository.
Now, let's take a look at the pull request to see what the experience is like.
- In the previous activity, we created the pull request. After creating the pull request, you were brought directly to the pull request page. At the bottom of the pull request, you will see a check called "Code scanning/CodeQL". This is the CodeQL analysis job scanning the code introduced in the pull request.
- Once the check is complete, you will see a new comment in the pull request from CodeQL indicating a new security vulnerability; a SQL query built from user-controlled data. This is our SQL injection vulnerability.
-
Review the data flow paths by clicking Show paths.
-
If you would like, add a comment and tag one of your friends by using their GitHub handle (example:
@username). This will notify them that you made a comment on the issue and need their help solving the problem. 😄
If this were a real-world situation, the developer would fix the SQL statement in their branch. Once fixed, the vulnerability will automatically close out.
If you would like to learn more about pull request integrations for code scanning, see "Triaging code scanning alerts in pull requests."
- Wait about 20 seconds then refresh this page (the one you're following instructions from). GitHub Actions will automatically update to the next step.
Get help: Post in our discussion board • Review the GitHub status page
© 2023 GitHub • Code of Conduct • MIT License