name: "Bambuddy CodeQL Configuration" # Uses the default query suite with accepted-risk exclusions. # Each exclusion is reviewed and documented below. query-filters: # ── Python Accepted Risk ───────────────────────────────────── # Log injection: All logging uses %s parameterized style. # Remaining findings are CodeQL taint-tracking printer/device data # to parameterized log args. Accepted risk for local network tool. - exclude: id: py/log-injection # Cyclic imports: SQLAlchemy ORM pattern — models import # database base class, database imports models for migrations. - exclude: id: py/cyclic-import - exclude: id: py/unsafe-cyclic-import # Unused local variables: Python _ prefix convention for # intentional discards (tuple unpacking, test fixture side effects). - exclude: id: py/unused-local-variable # Path injection: All paths validated — extension whitelists, # traversal checks (rejects .. / \), UUID-based naming, or # constructed from integer IDs in controlled base directories. - exclude: id: py/path-injection # Stack trace exposure: str(e) replaced with generic messages # in HTTP responses. Remaining findings are CodeQL tracing through # _update_status dict returns, not actual exposures. - exclude: id: py/stack-trace-exposure # Socket bind to 0.0.0.0: Virtual printer SSDP/discovery # services must bind all interfaces for LAN discoverability. - exclude: id: py/bind-socket-all-network-interfaces # SSRF: URLs come from admin-configured settings (external # cameras, Home Assistant, Tasmota). Validation added for scheme, # hostname, and metadata-service blocking. - exclude: id: py/partial-ssrf - exclude: id: py/full-ssrf # Unused global variables: False positives — module-level # cache variables written via `global` in one function, read in another. - exclude: id: py/unused-global-variable # Clear-text logging sensitive data: False positive — # `api_key` in firmware_check.py is a printer model identifier # string ("x1", "p1", "a1-mini"), not a secret. - exclude: id: py/clear-text-logging-sensitive-data # Clear-text storage sensitive data: JWT secret stored in # file with 0600 permissions. Standard for single-host deployment. - exclude: id: py/clear-text-storage-sensitive-data # Weak hashing on sensitive data: MD5 used with # usedforsecurity=False for AMS tray fingerprinting, not security. - exclude: id: py/weak-sensitive-data-hashing # Catch base exception: In frontend/node_modules third-party # code (flatted/python/flatted.py), outside our control. - exclude: id: py/catch-base-exception # LDAP injection: All user input is RFC 4515 escaped via # _ldap_escape() (ldap_service.py:282) before interpolation # into search filters. CodeQL does not trace through the # escape replace-loop and reports false positives on lines # 131 / 183 / 198 where escaped values are reused. - exclude: id: py/ldap-injection # Incomplete URL substring sanitization: Only triggers in # test assertions (test_cloud_auth.py) that verify the # mocked HTTP client saw the right hostname # (e.g. `"api.bambulab.cn" in captured_url`). URLs come # from a mock's captured_urls list, not user input. - exclude: id: py/incomplete-url-substring-sanitization # ── JavaScript Accepted Risk ───────────────────────────────── # XSS through DOM: False positives — # 1. coverage/sorter.js: generated Istanbul coverage report # 2. TimelapseEditorModal.tsx: URL.createObjectURL(file) creates # a safe blob: URL used as