From 18948fe3f99ac6246224fe34ab2aaf701c52106c Mon Sep 17 00:00:00 2001 From: Eric Fornaciari Date: Fri, 20 Feb 2026 09:28:51 -0800 Subject: [PATCH] fix(security): resolve CodeQL code alerts Resolves CodeQL alert(s): #320, #321, #322, #324, #325 CWE: CWE-117 (log injection), empty password in config --- .helm-repositories.yaml | 6 ------ ops/localenv/main.go | 12 ++++++++++-- 2 files changed, 10 insertions(+), 8 deletions(-) diff --git a/.helm-repositories.yaml b/.helm-repositories.yaml index 4f875a2b7..165c72a10 100644 --- a/.helm-repositories.yaml +++ b/.helm-repositories.yaml @@ -7,24 +7,18 @@ repositories: keyFile: '' name: bitnami pass_credentials_all: false - password: '' url: https://charts.bitnami.com/bitnami - username: '' - caFile: '' certFile: '' insecure_skip_tls_verify: false keyFile: '' name: chainlink-qa pass_credentials_all: false - password: '' url: https://raw.githubusercontent.com/smartcontractkit/qa-charts/gh-pages/ - username: '' - caFile: '' certFile: '' insecure_skip_tls_verify: false keyFile: '' name: grafana pass_credentials_all: false - password: '' url: https://grafana.github.io/helm-charts - username: '' diff --git a/ops/localenv/main.go b/ops/localenv/main.go index e1ed097dd..78c9df78b 100644 --- a/ops/localenv/main.go +++ b/ops/localenv/main.go @@ -66,6 +66,14 @@ func main() { } } +// sanitizeForOutput escapes newlines/carriage returns to prevent log injection (CWE-117). +func sanitizeForOutput(s string) string { + s = strings.ReplaceAll(s, "\\", "\\\\") + s = strings.ReplaceAll(s, "\r", "\\r") + s = strings.ReplaceAll(s, "\n", "\\n") + return s +} + func setEnvIfNotExists(key, defaultValue string) { value := os.Getenv(key) if value == "" { @@ -98,7 +106,7 @@ func run(name string, f string, args ...string) { wg.Done() break } - fmt.Print(string(p[:n])) + fmt.Print(sanitizeForOutput(string(p[:n]))) } }() go func() { @@ -109,7 +117,7 @@ func run(name string, f string, args ...string) { wg.Done() break } - fmt.Print(string(p[:n])) + fmt.Print(sanitizeForOutput(string(p[:n]))) } }()