SQL refactor #287
SQL refactor #287
Conversation
…of items upon update, create DB helpers, add godotenv
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
| @@ -70,3 +75,14 @@ services: | |||
| - ALLOW_EMPTY_PASSWORD=yes | |||
| networks: | |||
| - sync | |||
| postgres: | |||
There was a problem hiding this comment.
reported by reviewdog 🐶
[semgrep] Service 'postgres' allows for privilege escalation via setuid or setgid binaries. Add 'no-new-privileges=true' in 'security_opt' to prevent this.
Source: https://github.com/brave/security-action/blob/main/assets/semgrep_rules/services/docker-compose-no-new-privileges.yaml
Cc @thypon kdenhartog
There was a problem hiding this comment.
The combination of this one with the additional one below do look like they'll present issues. Should be an easy fix to add the no-new-privileges=true configuration to this file. If there's a reason we intentionally haven't done this though @DJAndries let me know and we can determine together what the best way forward is.
| @@ -70,3 +75,14 @@ services: | |||
| - ALLOW_EMPTY_PASSWORD=yes | |||
| networks: | |||
| - sync | |||
| postgres: | |||
There was a problem hiding this comment.
reported by reviewdog 🐶
[semgrep] Service 'postgres' is running with a writable root filesystem. This may allow malicious applications to download and run additional payloads, or modify container files. If an application inside a container has to save something temporarily consider using a tmpfs. Add 'read_only: true' to this service to prevent this.
Source: https://semgrep.dev/r/yaml.docker-compose.security.writable-filesystem-service.writable-filesystem-service
Cc @thypon kdenhartog
There was a problem hiding this comment.
Same as above, seems like a simple solution to solve this is to add the read_only: true configuration. If you can't let me know and we'll figure out the best way forward @DJAndries.
| if !h.SQLDB.Variations().Ready { | ||
| return nil, nil | ||
| } | ||
| if rand.Float32() > h.SQLDB.MigrateIntervalPercent() { |
There was a problem hiding this comment.
non blocking question: @DJAndries what's the purpose in this validation check? The logic is non-deterministic in the sense that rand could return a very large number forcing this to fail the migration. Is this intentional?
There was a problem hiding this comment.
to reduce DB load, we only want to migrate chunks of data from ddb to pg on a certain percentage of "get update" requests from the client, which are sent every 30 seconds. the check enforces this requirement.
There was a problem hiding this comment.
will add a comment for clarity
There was a problem hiding this comment.
If you want a more uniform randomness, crypto/rand can provide that guarantee, but based on that answer it doesn't seem like we really need that so feel free to ignore that sec-actions comment.
|
|
||
| import ( | ||
| "fmt" | ||
| "math/rand/v2" |
There was a problem hiding this comment.
reported by reviewdog 🐶
[semgrep] Do not use math/rand. Use crypto/rand instead.
Source: https://semgrep.dev/r/go.lang.security.audit.crypto.math_random.math-random-used
Cc @thypon @kdenhartog
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| @@ -0,0 +1,9 @@ | |||
| FROM public.ecr.aws/docker/library/postgres:16 | |||
|
|
|||
| RUN apt update && apt install -y git make gcc postgresql-server-dev-16 | |||
Check notice
Code scanning / SonarCloud
Arguments in long RUN instructions should be sorted Low
|
[puLL-Merge] - brave/go-sync@287 DescriptionThis PR introduces significant changes to the codebase, primarily focusing on adding support for SQL databases alongside the existing DynamoDB implementation. It also includes improvements to the data migration process, updates to the project structure, and enhancements to the testing suite. ChangesChanges
Possible Issues
Security Hotspots
|
Resolves #216