Why
GitHub Code Scanning identified 13 security vulnerabilities in the public specfact-cli repository that needed to be mitigated to improve code security and follow best practices. These findings included 1 critical ReDoS vulnerability, 5 URL sanitization issues, and 7 missing workflow permissions that violated security best practices.
What Changes
This change mitigates all 13 code scanning findings:
- Fixed ReDoS vulnerability in
src/specfact_cli/backlog/mappers/github_mapper.py by replacing regex-based section removal with line-by-line processing to avoid exponential backtracking
- Fixed incomplete URL sanitization in
src/specfact_cli/adapters/github.py by replacing substring matching with proper URL parsing using urllib.parse.urlparse()
- Fixed incomplete URL sanitization in
src/specfact_cli/sync/bridge_sync.py (3 instances) by replacing substring matching with proper URL parsing
- Fixed incomplete URL sanitization in
src/specfact_cli/adapters/ado.py by replacing substring matching with proper URL parsing
- Added explicit
permissions: contents: read blocks to 7 GitHub Actions jobs in .github/workflows/pr-orchestrator.yml to follow least-privilege security model
Acceptance Criteria
Additional Context
All fixes maintain backward compatibility with no breaking changes to APIs or interfaces. Changes are security-focused and follow industry best practices.
OpenSpec Change Proposal: fix-code-scanning-vulnerabilities
Why
GitHub Code Scanning identified 13 security vulnerabilities in the public
specfact-clirepository that needed to be mitigated to improve code security and follow best practices. These findings included 1 critical ReDoS vulnerability, 5 URL sanitization issues, and 7 missing workflow permissions that violated security best practices.What Changes
This change mitigates all 13 code scanning findings:
src/specfact_cli/backlog/mappers/github_mapper.pyby replacing regex-based section removal with line-by-line processing to avoid exponential backtrackingsrc/specfact_cli/adapters/github.pyby replacing substring matching with proper URL parsing usingurllib.parse.urlparse()src/specfact_cli/sync/bridge_sync.py(3 instances) by replacing substring matching with proper URL parsingsrc/specfact_cli/adapters/ado.pyby replacing substring matching with proper URL parsingpermissions: contents: readblocks to 7 GitHub Actions jobs in.github/workflows/pr-orchestrator.ymlto follow least-privilege security modelAcceptance Criteria
Additional Context
All fixes maintain backward compatibility with no breaking changes to APIs or interfaces. Changes are security-focused and follow industry best practices.
OpenSpec Change Proposal:
fix-code-scanning-vulnerabilities