Address/Suppress various CodeQL items (#236)

andystaples · web-flow · commit f457df91de25 · 2025-08-05T12:10:48.000-07:00
diff --git a/azuremanaged/src/main/java/com/microsoft/durabletask/azuremanaged/DurableTaskSchedulerConnectionString.java b/azuremanaged/src/main/java/com/microsoft/durabletask/azuremanaged/DurableTaskSchedulerConnectionString.java
@@ -153,7 +153,7 @@ private static Map<String, String> parseConnectionString(String connectionString
         // Parse the supported auth types in a case-insensitive way
         switch (authType.toLowerCase().trim()) {
             case "defaultazure":
-                return new DefaultAzureCredentialBuilder().build();
+                return new DefaultAzureCredentialBuilder().build(); // CodeQL [SM05141] Use DefaultAzureCredential explicitly for local development and is decided by the user
             case "managedidentity":
                 return new ManagedIdentityCredentialBuilder().clientId(getClientId()).build();
             case "workloadidentity":
diff --git a/client/src/main/java/com/microsoft/durabletask/util/UUIDGenerator.java b/client/src/main/java/com/microsoft/durabletask/util/UUIDGenerator.java
@@ -29,7 +29,9 @@ public static UUID generate(int version, String algorithm, UUID namespace, Strin
 
     private static MessageDigest hasher(String algorithm) {
         try {
-            return MessageDigest.getInstance(algorithm);
+            return MessageDigest.getInstance(algorithm); /* CodeQL [SM05136] Suppressed: SHA1 is not used for cryptographic purposes here. The information being hashed is not sensitive,
+                                                            and the goal is to generate a deterministic Guid. We cannot update to SHA2-based algorithms without breaking
+                                                            customers' inflight orchestrations. */
         } catch (NoSuchAlgorithmException e) {
             throw new RuntimeException(String.format("%s not supported.", algorithm));
         }
diff --git a/samples/src/main/java/io/durabletask/samples/OrchestrationController.java b/samples/src/main/java/io/durabletask/samples/OrchestrationController.java
@@ -8,6 +8,8 @@
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.RestController;
 
+import org.springframework.web.util.HtmlUtils;
+
 @RestController
 public class OrchestrationController {
 
@@ -19,7 +21,7 @@ public OrchestrationController() {
 
     @GetMapping("/hello")
     public String greeting(@RequestParam(value = "name", defaultValue = "World") String name) {
-        return String.format("Hello, %s!", name);
+        return String.format("Hello, %s!", HtmlUtils.htmlEscape(name));
     }
 
     @GetMapping("/placeOrder")
