Initial commit.

.github/ISSUE_TEMPLATE/bug-report.md

@@ -0,0 +1,42 @@
+---
+name: Bug Report
+about: Create a report to help us improve
+title: ''
+labels: 'bug'
+assignees: ''
+
+---
+
+# Bug Description
+
+
+# Steps To Reproduce
+
+
+# Expected Behavior
+
+
+# Screenshots
+
+
+# Environment
+
+
+# Additional Context
+
+
+# Proposed Solution
+
+
+# Known Workarounds
+
+
+# Useful Links
+
+
+# Task Relationships
+
+This bug:
+* Is caused by: 
+* Relates to: 
+* Depends on:

.github/ISSUE_TEMPLATE/task.md

@@ -0,0 +1,71 @@
+---
+name: Task
+about: Template for creating tasks
+title: ''
+labels: ''
+assignees: ''
+
+---
+
+# Task Description
+
+<!-- Provide an explanation of the issue -->
+
+# Open Questions
+
+<!-- Add any list of questions that still need to be clarified here -->
+
+# Notes
+
+<!-- Add any useful findings here -->
+
+# Task List
+
+<!-- The list below is just an example of a possible breakdown of the work: -->
+
+The following tasks will need to be carried out:
+* [ ] Investigate the issue.
+* [ ] Provide a solution.
+* [ ] Test the fix.
+* [ ] Update the documentation.
+
+# Useful Commands
+
+
+# Incurred Costs
+
+
+# Task Relationships
+
+This task:
+* Is a sub-task of: #
+* Depends on: #
+* Is a follow-up of: # 
+* Relates to: #
+
+# Resources
+
+<!-- Use this section to list out internal resources, such as, for example:
+     * Git repositories
+     * Wiki pages
+     * Service IP-s/URL-s 
+     * Etc
+     -->
+
+# Useful Links
+
+<!-- Use this section to collect links to articles, or documentation you found useful for the resolution of this issue -->
+* [link1]()
+* [link2]()
+* [link3]()
+
+# Points of Contact
+
+<!-- List people who might be able to help get a better understanding of the problem. For example:
+     - The person who reported this issue, (if you are raising it on their behalf)
+     - Any Subject Matter Experts (SME-s) that might help with providing ideas on how to implement this
+     - Any chat channels where questions could be raised
+     - If this is related to a third-party vendor issue, list e-mails, issue trackers, established, or dedicated contacts one could reach out to
+     - Any other stakeholders
+     - Any other interested parties
+     -->

.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,24 @@
+# Pull Request Description
+
+This pull request fixes # <!-- insert the issue number here -->
+
+# Questions
+
+* Does this pull request break backward compatibility? 
+  * Yes
+  * No
+
+* Does this pull request require other pull requests to be merged first? 
+  * Yes, please see # <!-- insert the issue number(s) here -->
+  * No
+
+* Does this require an update of the documentation?
+  * Yes, please update the documentation [here](), [here]() and [here](). 
+  * No
+
+# Code Review And Pre-Merge Checklist
+
+* [ ] My code follows the coding convention of this project.
+* [ ] I have performed a self-review of my own code.
+* [ ] I have commented my code in hard-to-understand areas.
+* [ ] My changes generate no new warnings.

.github/workflows/build-and-publish.yml

@@ -0,0 +1,125 @@
+name: build-and-publish
+run-name: Build and publish
+
+on:
+  workflow_dispatch:
+    inputs:
+      BRANCH:
+        type: choice
+        options:
+          - master
+        description: Branch to build and push
+        default: master
+        required: true
+
+  repository_dispatch:
+    types: [ "ql:publish-coomand" ]
+
+#env:
+#  GIT_REF: ${{ inputs.BRANCH != '' && inputs.BRANCH || github.event.client_payload.pull_request.head.sha }}
+#  VERSION_REF: ${{ inputs.BRANCH != '' && inputs.BRANCH || format('PR-{0}', github.event.client_payload.github.payload.issue.number) }}
+
+# These permissions are required to allow writing comments and reporting check status.
+permissions:
+  contents: write
+  pull-requests: write
+  actions: write
+  statuses: write
+  issues: write
+  checks: write
+
+jobs:
+  build-and-publish:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          ref: ${{ env.GIT_REF }}
+
+      - name: Get git commit hash
+        uses: pr-mpt/actions-commit-hash@v2
+        id: commit
+
+      - name: Configure dynamic variables
+        id: vars
+        run: |
+          # For local dev.
+          # GITHUB_OUTPUT=/dev/stdout
+          ref=${{ env.GIT_REF }}
+          echo "Ref => $ref"
+          
+          # The version of the CodeQL query pack
+          version=`cat vertx-codeql-queries/ql/src/qlpack.yml | head -n 3 | tail -n 1 | cut -d " " -f 2`
+          
+          # Check if this is a snapshot version
+          isSnapshot=false
+          if [[ $version == *"-alpha" ]]; then
+              isSnapshot=true
+          fi
+          
+          echo "version=$version" >> $GITHUB_OUTPUT 
+          echo "isSnapshot=$isSnapshot" >> $GITHUB_OUTPUT 
+
+      - name: Build
+        run: |
+
+      - name: Generate query help files
+        run: |
+          cd vertx-codeql-queries/ql/src
+          codeql generate query-help *.qhelp --format=markdown -o .
+          ls -al
+
+      - name: Remove previous query pack version for snapshot
+        if: ${{ always() && (steps.vars.outputs.isSnapshot == 'true') }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          cd vertx-codeql-queries/ql/src
+          echo "Removing previous snapshot version..."
+          codeql pack remove vertx-codeql-queries --github-auth-stdin --version $version
+
+      - name: Publish CodeQL query pack
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          cd vertx-codeql-queries/ql/src
+          codeql pack publish --github-auth-stdin --allow-prerelease
+
+      - name: Post job report comment reaction
+        uses: peter-evans/create-or-update-comment@v3
+        if: ${{ always() && (github.event.client_payload.slash_command.command != '') }}
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          repository: ${{ github.event.client_payload.github.payload.repository.full_name }}
+          comment-id: ${{ github.event.client_payload.github.payload.comment.id }}
+          reactions: ${{ job.status == 'success' && 'hooray' || '-1' }}
+
+      - name: Post job report comment failure
+        uses: peter-evans/create-or-update-comment@v3
+        if: ${{ failure() && (github.event.client_payload.slash_command.command != '') }}
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          repository: ${{ github.event.client_payload.github.payload.repository.full_name }}
+          comment-id: ${{ github.event.client_payload.github.payload.comment.id }}
+          reactions: ${{ job.status == 'success' && 'hooray' || '-1' }}
+          body: |
+            > 🔴 Failed to publish the package. For more details check the [build log](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}).
+
+      - name: Post job report add comment on success push
+        uses: peter-evans/create-or-update-comment@v3
+        if: ${{ success() && (github.event.client_payload.slash_command.command != '') }}
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          repository: ${{ github.event.client_payload.github.payload.repository.full_name }}
+          issue-number: ${{ github.event.client_payload.github.payload.issue.number }}
+          body: |
+            #### Status
+            
+            🟢 Pushed revision `${{ steps.vars.outputs.version }}` to [carlspring/vertx-codeql-queries:${{ version }}]https://github.com/users/carlspring/packages/container/package/vertx-codeql-queries).
+            
+            #### Build log
+            
+            * For more details check the [build log](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}).
+            

.github/workflows/command-dispatcher.yml

@@ -0,0 +1,43 @@
+name: command-dispatcher
+
+on:
+  issue_comment:
+    types: [created]
+
+##
+## This does not work for private repositories anymore.
+## You must use a bot token or you will receive the following error:
+##   Command 'XYZ' is not configured for the user's permission level 'none'.
+##
+#permissions:
+#  actions: write
+#  contents: write  # For executing the repository_dispatch event
+#  issues: write  # For doing the emoji reaction on an issue comment
+#  pull-requests: write  # For doing the emoji reaction on a PR comment
+#  repository-projects: read
+#  checks: read
+#  statuses: read
+
+jobs:
+  dispatcher:
+    runs-on: ubuntu-latest
+    if: ${{ github.event.issue.pull_request }}
+    steps:
+      - name: Dispatching command
+        uses: peter-evans/slash-command-dispatch@v3
+        with:
+          reaction-token: ${{ secrets.CS_DEVOPS_BOT_TOKEN }}
+          token: ${{ secrets.CS_DEVOPS_BOT_TOKEN }}
+          config: >
+            [
+              {
+                "command": "ql:publish",
+                "permission": "write",
+                "issue_type": "pull-request"
+              },
+              {
+                "command": "help",
+                "permission": "write",
+                "issue_type": "pull-request"
+              }
+            ]

.github/workflows/command-help.yml

@@ -0,0 +1,32 @@
+name: command-help
+run-name: command-help-pr-${{ github.event.client_payload.github.payload.issue.number }}
+
+on:
+  repository_dispatch:
+    types: [help-command]
+
+permissions:
+  issues: write
+  pull-requests: write
+  contents: write
+
+jobs:
+  help:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Dump the client payload context
+        env:
+          PAYLOAD_CONTEXT: ${{ toJson(github.event.client_payload) }}
+        run: echo "$PAYLOAD_CONTEXT"
+
+      - name: Update comment
+        uses: peter-evans/create-or-update-comment@v2
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          repository: ${{ github.event.client_payload.github.payload.repository.full_name }}
+          comment-id: ${{ github.event.client_payload.github.payload.comment.id }}
+          body: |
+            > Command       | Description
+            > ------------- | -----------
+            > /ql:publish   | Builds and publishes the CodeQL query pack
+          reaction-type: hooray

vertx-codeql-queries/ql/src/InsecureCorsHttpOrigin.java

@@ -0,0 +1,51 @@
+package org.carlspring.security.vertx.http;
+
+import io.vertx.core.AbstractVerticle;
+import io.vertx.core.http.HttpHeaders;
+import io.vertx.core.http.HttpMethod;
+import io.vertx.ext.web.Router;
+import io.vertx.ext.web.handler.CorsHandler;
+
+/**
+ * @author carlspring
+ */
+public class InsecureCorsHttpOrigin
+        extends AbstractVerticle {
+
+    @Override
+    public void start() {
+        // Create a router
+        Router router = Router.router(vertx);
+
+        // Configure CORS handling with allowed origins, headers, and methods
+        CorsHandler corsHandler = CorsHandler.create()
+                                             // Insecure configuration that doesn't use HTTPS:
+                                             .addOrigin("http://example.com")
+                                             .allowedHeader(HttpHeaders.CONTENT_TYPE.toString())
+                                             .allowedMethod(HttpMethod.GET)
+                                             .allowedMethod(HttpMethod.POST);
+
+        // Mount the CORS handler
+        router.route().handler(corsHandler);
+
+        // Set up routes
+        router.get("/api/data").handler(routingContext -> {
+            // Handle the request and send response
+            routingContext.response()
+                          .putHeader(HttpHeaders.CONTENT_TYPE, "application/json")
+                          .end("{\"message\":\"Hello, CORS!\"}");
+        });
+
+        // Start the server
+        vertx.createHttpServer()
+             .requestHandler(router)
+             .listen(8080, ar -> {
+                 if (ar.succeeded()) {
+                     System.out.println("Server started on port 8080");
+                 } else {
+                     System.err.println("Server failed to start: " + ar.cause());
+                 }
+             });
+    }
+
+}