fix: address GitHub security findings (CodeQL #38/#40, Dependabot #207)#163
Open
cawalch wants to merge 3 commits into
Open
fix: address GitHub security findings (CodeQL #38/#40, Dependabot #207)#163cawalch wants to merge 3 commits into
cawalch wants to merge 3 commits into
Conversation
- ui_jobs.go: replace log.Printf with structured h.logger() calls for user-controlled jobID/eventID values to prevent log injection (CodeQL #40) - middleware_csrf.go: set CSRF cookie Secure attribute to true unconditionally; app is always served over HTTPS in production (CodeQL #38) - puppeteer-worker: add npm override to force uuid >= 11.1.1, fixing buffer bounds check vuln in transitive deps via @google-cloud/storage (Dependabot #207, CodeQL #43/#44)
- ui_jobs.go: wrap long ErrorContext call to satisfy golines - middleware_csrf.go: rename unused r param to _, remove now-unused isForwardedHTTPS helper (both became dead code after Secure: true change)
Contributor
Author
The line with Also this PR needs a rebase onto the latest main since the base branch has been updated. |
Contributor
Author
|
@dependabot rebase |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Addresses all open security findings from the GitHub Security tab.
CodeQL #40 — Log injection (ERROR)
File:
services/merrymaker-go/internal/http/ui_jobs.goReplaced three
log.Printfcalls that interpolated user-controlledjobID/eventIDpath values into log message strings with structuredh.logger().ErrorContext/WarnContextcalls. Structured logging treats user values as typed fields, preventing newline-based log injection.CodeQL #38 — Cookie Secure attribute not set (WARNING)
File:
services/merrymaker-go/internal/http/middleware_csrf.goThe CSRF token cookie previously set
Secure: isSecure(dynamic, based on TLS/proxy detection). Changed toSecure: trueunconditionally — the app is always served over HTTPS in production (direct TLS or proxy-terminated TLS).Dependabot #207 / CodeQL #43 #44 —
uuid < 11.1.1(MEDIUM)File:
services/puppeteer-worker/package.jsonAdded an npm
overridesentry to forceuuid@^11.1.1across all transitive dependencies (@google-cloud/storage→gaxios,teeny-request).npm auditnow reports 0 vulnerabilities.