JonKazama-Hellion/HellionChat
1
0
Fork 0
Code Issues 1 Pull Requests Actions Releases 28 Activity
Files
9f6a0807d1aff5324b4d2a4c68ca5b54379888e0
HellionChat/.github/workflows/build.yml
T
JonKazama-Hellion 53c432a635 fix(security): close codeql findings #1 and #2 
Two CodeQL alerts opened against the codeql-manual-build workflow's
first scan. Both real, both small fixes.

#1 Medium / Workflow does not contain permissions
   build.yml runs read-only against the repo (no push, no release
   creation, no API mutations) but never declared a permissions
   block, so the default GITHUB_TOKEN scope applied. Pin to
   contents: read at workflow level. Release and CodeQL workflows
   already have their explicit minimal scopes.

#2 Critical / Unvalidated local pointer arithmetic
   ImGuiUtil.WrappedTextWithPos splits its input on newlines and
   passes each part through Encoding.UTF8.GetBytes inside a fixed
   block. Empty splits (consecutive newlines, blank lines) produced
   a zero-length byte array, fixed gave us a valid pointer, and
   textEnd = text + bytes.Length collapsed onto text. The downstream
   ImGuiNative.CalcWordWrapPositionA calls received identical start
   and end pointers, which is undefined behaviour at the native
   boundary even if it happens to no-op on the current ImGui build.
   Bail before entering the fixed block when bytes.Length == 0 and
   render an empty line for the gap, which is what the original
   text == null guard was trying to do but could never reach inside
   a fixed block over a non-null array.
2026-05-02 23:25:41 +02:00

57 lines
1.7 KiB
YAML
Raw Blame History

name: Build
# Verifies that every push to main and every PR still builds against the
# current Dalamud staging branch. Does not produce release artefacts; the
# release workflow handles that on tag.
on:
push:
branches: [main]
pull_request:
branches: [main]
workflow_dispatch:
# Minimum permissions for a build-only workflow: read the repo, nothing
# else. Closes the CodeQL "Workflow does not contain permissions" alert
# and matches the principle-of-least-privilege the security guide
# recommends for workflows that don't push or create releases.
permissions:
contents: read
jobs:
build:
name: Build (Release)
runs-on: windows-latest
timeout-minutes: 15
steps:
- name: Checkout
uses: actions/checkout@v6
- name: Setup .NET 10
uses: actions/setup-dotnet@v4
with:
dotnet-version: 10.0.x
- name: Download Dalamud staging
shell: pwsh
run: |
$hooks = Join-Path $env:APPDATA "XIVLauncher\addon\Hooks\dev"
New-Item -ItemType Directory -Force -Path $hooks | Out-Null
Invoke-WebRequest -Uri https://goatcorp.github.io/dalamud-distrib/stg/latest.zip -OutFile dalamud.zip
Expand-Archive -Force -Path dalamud.zip -DestinationPath $hooks
- name: Restore
run: dotnet restore ChatTwo/ChatTwo.csproj
- name: Build (Release)
run: dotnet build ChatTwo/ChatTwo.csproj --configuration Release --no-restore
- name: Upload build output
uses: actions/upload-artifact@v7
with:
name: HellionChat-build-${{ github.run_number }}
path: ChatTwo/bin/Release/**/HellionChat/**
if-no-files-found: warn
retention-days: 14
Reference in New Issue View Git Blame Copy Permalink