Harden parser validation and evidence guardrails#96
Closed
DevOpsMadDog wants to merge 10 commits into
Closed
Conversation
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
5 issues found across 13 files
Prompt for AI agents (all 5 issues)
Understand the root cause of the following 5 issues and fix them.
<file name="apps/api/app.py">
<violation number="1" location="apps/api/app.py:127">
Returning 403 here treats an invalid API key as an authorization failure, but this case is still an authentication failure and should continue to return 401 to match standard HTTP semantics and existing clients.</violation>
</file>
<file name="fixops/utils/paths.py">
<violation number="1" location="fixops/utils/paths.py:12">
Using Path(...).name collapses every input to a single filename, so callers specifying nested evidence paths (e.g., "reports/logs/event.json") will now write to the root as "event.json" and lose directory structure. This breaks valid usages without improving safety; the existing resolve/parent check already blocks escapes.</violation>
</file>
<file name="evidence/packager.py">
<violation number="1" location="evidence/packager.py:264">
Using resolve_within_root here drops tag subdirectories, so tags like `release/v1.0` and `hotfix/v1.0` both resolve to the same manifest path and overwrite each other. Please retain unique per-tag paths.</violation>
<violation number="2" location="evidence/packager.py:268">
resolve_within_root flattens tag names, so different namespaced tags now produce the same bundle filename and overwrite existing bundles. Please keep the per-tag directory structure when constructing the bundle path.</violation>
</file>
<file name="core/stage_runner.py">
<violation number="1" location="core/stage_runner.py:732">
Limit aws_security_group_rule detection to ingress rules; otherwise egress-only rules (the AWS default) are now flagged as open security groups and inflate the deploy risk score.</violation>
</file>
Since this is your first cubic review, here's how it works:
- cubic automatically reviews your code and comments on bugs and improvements
- Teach cubic by replying to its comments. cubic learns from your replies and gets better over time
- Ask questions if you need clarification on any suggestion
React with 👍 or 👎 to teach cubic. Mention @cubic-dev-ai to give feedback, ask questions, or re-run the review.
| yaml.safe_dump(manifest, handle, sort_keys=False) | ||
|
|
||
| bundle_path = bundle_dir / f"{tag}.zip" | ||
| bundle_path = resolve_within_root(bundle_dir, f"{tag}.zip") |
Contributor
There was a problem hiding this comment.
resolve_within_root flattens tag names, so different namespaced tags now produce the same bundle filename and overwrite existing bundles. Please keep the per-tag directory structure when constructing the bundle path.
Prompt for AI agents
Address the following comment on evidence/packager.py at line 268:
<comment>resolve_within_root flattens tag names, so different namespaced tags now produce the same bundle filename and overwrite existing bundles. Please keep the per-tag directory structure when constructing the bundle path.</comment>
<file context>
@@ -259,11 +261,11 @@ def create_bundle(inputs: BundleInputs) -> dict[str, Any]:
yaml.safe_dump(manifest, handle, sort_keys=False)
- bundle_path = bundle_dir / f"{tag}.zip"
+ bundle_path = resolve_within_root(bundle_dir, f"{tag}.zip")
with ZipFile(bundle_path, "w") as archive:
for source, arcname in bundle_files:
</file context>
✅ Addressed in 7617726
Contributor
There was a problem hiding this comment.
Here's a PR: #102 Preserve per-tag directory structure when constructing bundle paths (merges into #96)
Review and merge it to apply the changes.
Contributor
There was a problem hiding this comment.
Here's a PR: #103 Preserve per-tag directories to prevent bundle overwrites (merges into #96)
Review and merge it to apply the changes.
| } | ||
|
|
||
| manifest_path = manifest_dir / f"{tag}.yaml" | ||
| manifest_path = resolve_within_root(manifest_dir, f"{tag}.yaml") |
Contributor
There was a problem hiding this comment.
Using resolve_within_root here drops tag subdirectories, so tags like release/v1.0 and hotfix/v1.0 both resolve to the same manifest path and overwrite each other. Please retain unique per-tag paths.
Prompt for AI agents
Address the following comment on evidence/packager.py at line 264:
<comment>Using resolve_within_root here drops tag subdirectories, so tags like `release/v1.0` and `hotfix/v1.0` both resolve to the same manifest path and overwrite each other. Please retain unique per-tag paths.</comment>
<file context>
@@ -259,11 +261,11 @@ def create_bundle(inputs: BundleInputs) -> dict[str, Any]:
}
- manifest_path = manifest_dir / f"{tag}.yaml"
+ manifest_path = resolve_within_root(manifest_dir, f"{tag}.yaml")
with manifest_path.open("w", encoding="utf-8") as handle:
yaml.safe_dump(manifest, handle, sort_keys=False)
</file context>
✅ Addressed in 88b9980
| cidr_values = [] | ||
| if any(value == "0.0.0.0/0" for value in cidr_values): | ||
| cidr_values = _extract_cidrs(rule) | ||
| if _contains_open_rule(cidr_values): |
Contributor
There was a problem hiding this comment.
Limit aws_security_group_rule detection to ingress rules; otherwise egress-only rules (the AWS default) are now flagged as open security groups and inflate the deploy risk score.
Prompt for AI agents
Address the following comment on core/stage_runner.py at line 732:
<comment>Limit aws_security_group_rule detection to ingress rules; otherwise egress-only rules (the AWS default) are now flagged as open security groups and inflate the deploy risk score.</comment>
<file context>
@@ -695,23 +721,24 @@ def _analyse_posture(self, payload: Mapping[str, Any]) -> dict[str, Any]:
- cidr_values = []
- if any(value == "0.0.0.0/0" for value in cidr_values):
+ cidr_values = _extract_cidrs(rule)
+ if _contains_open_rule(cidr_values):
open_security_groups.add(name)
</file context>
Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com>
Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com>
…-py-L12-1760531107 Preserve nested evidence paths instead of collapsing names (merges into #96)
…-py-L268-1760701090 Preserve per-tag directories to prevent bundle overwrites (merges into #96)
Contributor
|
Closing as part of PR consolidation. Useful changes have been cherry-picked into PR #240. |
DevOpsMadDog
added a commit
that referenced
this pull request
May 6, 2026
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
aws_security_groupandaws_security_group_ruleresources and expand testsTesting
https://chatgpt.com/codex/tasks/task_e_68ed01a3412c8329bf48c383b61f8b4d
Summary by cubic
Strengthens input parsing and evidence storage with strict SARIF validation and safe path resolution. Adds open security group detection across both Terraform resource types and improves API auth responses.
New Features
Bug Fixes