-
Notifications
You must be signed in to change notification settings - Fork 5
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SHARD-1098 - Tickets #106
SHARD-1098 - Tickets #106
Conversation
if (err) { | ||
server.log.error(err) | ||
process.exit(1) | ||
} | ||
Logger.mainLogger.debug('Archive-server has started.') | ||
console.log(`Worker ${process.pid}: Archive-server is listening on http://0.0.0.0:${config.ARCHIVER_PORT}`) | ||
Logger.mainLogger.info(`Worker ${process.pid}: Archive-server is listening on http://0.0.0.0:${config.ARCHIVER_PORT}`) |
Check warning
Code scanning / CodeQL
Log injection Medium
user-provided value
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 22 days ago
To fix the log injection issue, we need to sanitize the user-provided input before logging it. Specifically, we should ensure that the config.ARCHIVER_PORT
value does not contain any special characters or newlines that could be used for log injection. We can achieve this by using a regular expression to remove any unwanted characters from the input.
The best way to fix the problem without changing existing functionality is to sanitize the config.ARCHIVER_PORT
value before using it in the log message. We will use the String.prototype.replace
method to remove any newline characters from the input.
-
Copy modified lines R483-R484
@@ -482,3 +482,4 @@ | ||
} | ||
Logger.mainLogger.info(`Worker ${process.pid}: Archive-server is listening on http://0.0.0.0:${config.ARCHIVER_PORT}`) | ||
const sanitizedPort = config.ARCHIVER_PORT.replace(/\n|\r/g, ""); | ||
Logger.mainLogger.info(`Worker ${process.pid}: Archive-server is listening on http://0.0.0.0:${sanitizedPort}`) | ||
State.setActive() |
// The signature is valid | ||
if ( | ||
!seen.has(sigs[i].owner) && | ||
allowedPubkeys[sigs[i].owner] && |
Check failure
Code scanning / CodeQL
User-controlled bypass of security check High
No description provided.