add pillar

[confusedcrib]

No description provided.

[guygr99]

This is not required for this kind of implementation - since you use the /v0/sessions API.
We are working on an updated SDK version that will simplify the integration, but for now, you can use the logic implemented in guardrails.py module.

[arnica-github-connector]

Static Code Analysis Risk: Injection - Tainted SQL string

Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as SQLAlchemy which will protect your queries.

Severity: Medium ⚠️
Status: Open 🔴

References:

1. https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-textual-sql
2. https://www.tutorialspoint.com/sqlalchemy/sqlalchemy_quick_guide.htm
3. https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-more-specific-text-with-table-expression-literal-column-and-expression-column

Suggested reviewers 🧐: @confusedcrib

Details

Take action by replying with an [arnica] command 💬

Actions

Use [arnica] or [a] to interact with the Arnica bot to acknowledge or dismiss code risks.

[arnica] ack <message>

Acknowledge the finding as a valid code risk.

Examples

[arnica] ack looking into it

[a] ack triaged by the security team

[arnica] dismiss <fp|accept|capacity> <message>

Dismiss the risk with a reason.

• fp: False positive, i.e. the result is incorrect and indicates no actual risk.

• accept: Tolerable risk, i.e. risk severity is lower than what has been reported or is accepted as it stands.

• capacity: No capacity, i.e. leave me alone, please.

Examples

[arnica] dismiss fp test function

[arnica] dismiss accept ChatGPT assures us that we will be just fine

[a] dismiss capacity not enough caffeine to fix it

[arnica-github-connector]

Static Code Analysis Risk: Injection - Tainted SQL string

Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as SQLAlchemy which will protect your queries.

Severity: Medium ⚠️
Status: Open 🔴

References:

1. https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-textual-sql
2. https://www.tutorialspoint.com/sqlalchemy/sqlalchemy_quick_guide.htm
3. https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-more-specific-text-with-table-expression-literal-column-and-expression-column

Suggested reviewers 🧐: @confusedcrib

Details

Take action by replying with an [arnica] command 💬

Actions

Use [arnica] or [a] to interact with the Arnica bot to acknowledge or dismiss code risks.

[arnica] ack <message>

Acknowledge the finding as a valid code risk.

Examples

[arnica] ack looking into it

[a] ack triaged by the security team

[arnica] dismiss <fp|accept|capacity> <message>

Dismiss the risk with a reason.

• fp: False positive, i.e. the result is incorrect and indicates no actual risk.

• accept: Tolerable risk, i.e. risk severity is lower than what has been reported or is accepted as it stands.

• capacity: No capacity, i.e. leave me alone, please.

Examples

[arnica] dismiss fp test function

[arnica] dismiss accept ChatGPT assures us that we will be just fine

[a] dismiss capacity not enough caffeine to fix it

[arnica-github-connector]

Static Code Analysis Risk: Security Misconfiguration - Debug enabled

Detected Flask app with debug=True. Do not deploy to production with this flag enabled as it will leak sensitive information. Instead, consider using Flask configuration variables or setting 'debug' using system environment variables.

Severity: High 🚨
Status: Open 🔴

References:

1. https://labs.detectify.com/2015/10/02/how-patreon-got-hacked-publicly-exposed-werkzeug-debugger/

Suggested reviewers 🧐: @confusedcrib

Details

Take action by replying with an [arnica] command 💬

Actions

Use [arnica] or [a] to interact with the Arnica bot to acknowledge or dismiss code risks.

[arnica] ack <message>

Acknowledge the finding as a valid code risk.

Examples

[arnica] ack looking into it

[a] ack triaged by the security team

[arnica] dismiss <fp|accept|capacity> <message>

Dismiss the risk with a reason.

• fp: False positive, i.e. the result is incorrect and indicates no actual risk.

• accept: Tolerable risk, i.e. risk severity is lower than what has been reported or is accepted as it stands.

• capacity: No capacity, i.e. leave me alone, please.

Examples

[arnica] dismiss fp test function

[arnica] dismiss accept ChatGPT assures us that we will be just fine

[a] dismiss capacity not enough caffeine to fix it

[arnica-github-connector]

Static Code Analysis Risk: Broken Access Control - Avoid app run with bad host

Running flask app with host 0.0.0.0 could expose the server publicly.

Severity: High 🚨
Status: Open 🔴

References:

1. https://owasp.org/Top10/A01_2021-Broken_Access_Control

Suggested reviewers 🧐: @confusedcrib

Details

Take action by replying with an [arnica] command 💬

Actions

Use [arnica] or [a] to interact with the Arnica bot to acknowledge or dismiss code risks.

[arnica] ack <message>

Acknowledge the finding as a valid code risk.

Examples

[arnica] ack looking into it

[a] ack triaged by the security team

[arnica] dismiss <fp|accept|capacity> <message>

Dismiss the risk with a reason.

• fp: False positive, i.e. the result is incorrect and indicates no actual risk.

• accept: Tolerable risk, i.e. risk severity is lower than what has been reported or is accepted as it stands.

• capacity: No capacity, i.e. leave me alone, please.

Examples

[arnica] dismiss fp test function

[arnica] dismiss accept ChatGPT assures us that we will be just fine

[a] dismiss capacity not enough caffeine to fix it