Bump version from 5.5.0 to 5.5.1 #248
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security Audit | |
| on: | |
| push: | |
| branches: [main] | |
| pull_request: | |
| branches: [main] | |
| workflow_dispatch: # Manuelle Ausführung ermöglichen | |
| permissions: | |
| contents: read | |
| security-events: write | |
| jobs: | |
| # CodeQL für JavaScript (PHP wird nicht unterstützt) | |
| codeql: | |
| name: CodeQL Analysis | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@v4 | |
| with: | |
| languages: javascript | |
| queries: security-extended | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@v4 | |
| with: | |
| category: "/language:javascript" | |
| # Semgrep für Pattern-basierte Analyse | |
| semgrep: | |
| name: Semgrep Security Scan | |
| runs-on: ubuntu-latest | |
| container: | |
| image: semgrep/semgrep | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Run Semgrep | |
| run: | | |
| semgrep scan \ | |
| --config "p/php" \ | |
| --config "p/javascript" \ | |
| --config "p/xss" \ | |
| --config "p/sql-injection" \ | |
| --config ".semgrep/" \ | |
| --sarif --output semgrep-results.sarif \ | |
| --error \ | |
| || true | |
| - name: Upload Semgrep results | |
| uses: github/codeql-action/upload-sarif@v4 | |
| with: | |
| sarif_file: semgrep-results.sarif | |
| if: always() | |
| # Custom REDAXO Security Rules | |
| redaxo-security: | |
| name: REDAXO Security Patterns | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Check for unescaped output in PHP | |
| run: | | |
| echo "🔍 Prüfe auf potenzielle XSS-Schwachstellen..." | |
| # Suche nach <?= ohne rex_escape in .php Dateien | |
| ISSUES=$(grep -rn --include="*.php" '<?=' . | grep -v 'rex_escape' | grep -v 'vendor/' | grep -v '.github/' || true) | |
| if [ -n "$ISSUES" ]; then | |
| echo "⚠️ Potenzielle XSS-Schwachstellen gefunden:" | |
| echo "$ISSUES" | |
| echo "" | |
| echo "Bitte prüfen, ob rex_escape() verwendet werden sollte." | |
| else | |
| echo "✅ Keine offensichtlichen XSS-Muster gefunden." | |
| fi | |
| - name: Check for dangerous PHP functions | |
| run: | | |
| echo "🔍 Prüfe auf gefährliche PHP-Funktionen..." | |
| # Suche nach eval, exec, system, etc. | |
| DANGEROUS=$(grep -rn --include="*.php" -E '\b(eval|exec|system|passthru|shell_exec|popen|proc_open)\s*\(' . | grep -v 'vendor/' | grep -v '.github/' || true) | |
| if [ -n "$DANGEROUS" ]; then | |
| echo "⚠️ Potenziell gefährliche Funktionen gefunden:" | |
| echo "$DANGEROUS" | |
| else | |
| echo "✅ Keine gefährlichen Funktionen gefunden." | |
| fi | |
| - name: Check for SQL Injection patterns | |
| run: | | |
| echo "🔍 Prüfe auf potenzielle SQL-Injection..." | |
| # Suche nach direkter String-Konkatenation in SQL | |
| SQL_ISSUES=$(grep -rn --include="*.php" -E '\$sql.*\.(.*\$_|.*rex_request|.*\$[a-zA-Z]+\[)' . | grep -v 'vendor/' | grep -v '.github/' || true) | |
| if [ -n "$SQL_ISSUES" ]; then | |
| echo "⚠️ Potenzielle SQL-Injection gefunden:" | |
| echo "$SQL_ISSUES" | |
| echo "" | |
| echo "Bitte rex_sql mit Prepared Statements verwenden." | |
| else | |
| echo "✅ Keine offensichtlichen SQL-Injection-Muster gefunden." | |
| fi | |
| - name: Summary | |
| run: | | |
| echo "" | |
| echo "📋 Security-Audit abgeschlossen." | |
| echo "Für detaillierte Ergebnisse siehe die einzelnen Job-Outputs." | |
| echo "" | |
| echo "Empfehlungen:" | |
| echo "- Alle Ausgaben mit rex_escape() escapen" | |
| echo "- rex_sql mit setTable()/setValue() oder Prepared Statements nutzen" | |
| echo "- Keine eval() oder ähnliche Funktionen verwenden" |