chore: fix false positives in CodeQL (#17138)

sreya · web-flow · commit eded0ed4b6a0 · 2025-03-27T16:06:58.000-05:00
Clears up some false positives being surfaced by CodeQL
diff --git a/agent/agentcontainers/containers_dockercli.go b/agent/agentcontainers/containers_dockercli.go
@@ -491,21 +491,15 @@ func convertDockerInspect(raw []byte) ([]codersdk.WorkspaceAgentContainer, []str
 //	"8080" -> 8080, "tcp"
 func convertDockerPort(in string) (uint16, string, error) {
 	parts := strings.Split(in, "/")
+	p, err := strconv.ParseUint(parts[0], 10, 16)
+	if err != nil {
+		return 0, "", xerrors.Errorf("invalid port format: %s", in)
+	}
 	switch len(parts) {
 	case 1:
 		// assume it's a TCP port
-		p, err := strconv.Atoi(parts[0])
-		if err != nil {
-			return 0, "", xerrors.Errorf("invalid port format: %s", in)
-		}
-		// #nosec G115 - Safe conversion since Docker TCP ports are limited to uint16 range
 		return uint16(p), "tcp", nil
 	case 2:
-		p, err := strconv.Atoi(parts[0])
-		if err != nil {
-			return 0, "", xerrors.Errorf("invalid port format: %s", in)
-		}
-		// #nosec G115 - Safe conversion since Docker ports are limited to uint16 range
 		return uint16(p), parts[1], nil
 	default:
 		return 0, "", xerrors.Errorf("invalid port format: %s", in)
diff --git a/agent/ls.go b/agent/ls.go
@@ -76,6 +76,7 @@ func listFiles(query LSRequest) (LSResponse, error) {
 		return LSResponse{}, xerrors.Errorf("failed to get absolute path of %q: %w", fullPathRelative, err)
 	}
 
+	// codeql[go/path-injection] - The intent is to allow the user to navigate to any directory in their workspace.
 	f, err := os.Open(absolutePathString)
 	if err != nil {
 		return LSResponse{}, xerrors.Errorf("failed to open directory %q: %w", absolutePathString, err)
diff --git a/coderd/userauth.go b/coderd/userauth.go
@@ -1100,6 +1100,7 @@ func (api *API) userOAuth2Github(rw http.ResponseWriter, r *http.Request) {
 	// We use AuthCodeURL from the OAuth2Config field instead of the one on
 	// GithubOAuth2Config because when device flow is configured, AuthCodeURL
 	// is overridden and returns a value that doesn't pass the URL check.
+	// codeql[go/constant-oauth2-state] -- We are solely using the AuthCodeURL from the OAuth2Config field in order to validate the hostname of the external auth provider.
 	if externalauth.IsGithubDotComURL(api.GithubOAuth2Config.OAuth2Config.AuthCodeURL("")) && user.GithubComUserID.Int64 != ghUser.GetID() {
 		err = api.Database.UpdateUserGithubComUserID(ctx, database.UpdateUserGithubComUserIDParams{
 			ID: user.ID,

Original file line number	Diff line number	Diff line change
`@@ -76,6 +76,7 @@ func listFiles(query LSRequest) (LSResponse, error) {`
`76`	`76`	`return LSResponse{}, xerrors.Errorf("failed to get absolute path of %q: %w", fullPathRelative, err)`
`77`	`77`	`}`
`78`	`78`
	`79`	`+ // codeql[go/path-injection] - The intent is to allow the user to navigate to any directory in their workspace.`
`79`	`80`	`f, err := os.Open(absolutePathString)`
`80`	`81`	`if err != nil {`
`81`	`82`	`return LSResponse{}, xerrors.Errorf("failed to open directory %q: %w", absolutePathString, err)`