Skip to content

Comments

fix(security): resolve CodeQL code alerts#670

Open
cl-efornaciari wants to merge 1 commit intodevelopfrom
fix/codeql-code-alerts
Open

fix(security): resolve CodeQL code alerts#670
cl-efornaciari wants to merge 1 commit intodevelopfrom
fix/codeql-code-alerts

Conversation

@cl-efornaciari
Copy link

@cl-efornaciari cl-efornaciari commented Feb 20, 2026

Summary

Resolves 5 CodeQL code alerts (2 go/log-injection, 3 js/empty-password-in-configuration-file).

Alerts Addressed

# Rule ID Severity File:Line Status
324 go/log-injection high ops/localenv/main.go:101 FIXED
325 go/log-injection high ops/localenv/main.go:112 FIXED
320 js/empty-password-in-configuration-file high .helm-repositories.yaml:10 FIXED
321 js/empty-password-in-configuration-file high .helm-repositories.yaml:19 FIXED
322 js/empty-password-in-configuration-file high .helm-repositories.yaml:28 FIXED

Fixes Applied

go/log-injection (CWE-117)

  • File: ops/localenv/main.go
  • Change: Added sanitizeForOutput() helper that escapes backslashes, carriage returns, and newlines before passing subprocess stdout/stderr to fmt.Print. Prevents log injection when output is captured (e.g., in CI).
  • Behavior: Subprocess output (docker build, go test) now displays newlines as literal \\n to prevent forged log entries. Local dev tool; security fix takes precedence over formatting.

js/empty-password-in-configuration-file

  • File: .helm-repositories.yaml
  • Change: Removed password: '' and username: '' from all three repository entries (bitnami, chainlink-qa, grafana). These are public chart repositories that do not require authentication. Helm allows omitting optional credentials for public repos.

How changes were made

  • Go: Sanitized user-controlled subprocess output before logging per CWE-117 guidance (escape newlines).
  • YAML: Removed empty credential fields from Helm repo config; public repos do not require them.
  • No false positives; all alerts addressed with targeted changes.

Build Verification

  • go build ./ops/localenv/ succeeds

Made with Cursor

@cl-efornaciari
fix(security): resolve CodeQL code alerts
18948fe 
Resolves CodeQL alert(s): #320, #321, #322, #324, #325
CWE: CWE-117 (log injection), empty password in config
@cl-efornaciari cl-efornaciari requested review from a team as code owners February 20, 2026 17:28
@github-actions
Copy link

github-actions bot commented Feb 20, 2026

👋 cl-efornaciari, thanks for creating this pull request!

To help reviewers, please consider creating future PRs as drafts first. This allows you to self-review and make any final changes before notifying the team.

Once you're ready, you can mark it as "Ready for review" to request feedback. Thanks!

@cl-sonarqube-production
Copy link

cl-sonarqube-production bot commented Feb 20, 2026

Quality Gate passed Quality Gate passed

Issues
0 New issues
1 Fixed issue
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarQube

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@patricios-space patricios-space Awaiting requested review from patricios-space

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@cl-efornaciari