Skip to content

Security: Fix workflow permissions, log injection, and document alerts #61

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
CybotTM merged 3 commits into from
Jan 5, 2026
Merged

Security: Fix workflow permissions, log injection, and document alerts #61

CybotTM merged 3 commits into from
Jan 5, 2026

Conversation

@CybotTM
Copy link
Member

@CybotTM CybotTM commented Dec 19, 2025

Summary

  • Harden GitHub Actions workflow with permissions and pinned SHAs
  • Fix JavaScript log injection vulnerability
  • Document accepted risks for false positive alerts

Changes

1. Workflow Hardening

File: .github/workflows/container-test.yml

2. Log Injection Fix (CWE-117)

File: src/dashboard/static/js/dashboard.js

WebSocket message data was being logged directly to console, allowing potential log injection attacks.

Fix: Added sanitizeForLog() function that:

  • Strips control characters (\x00-\x1F\x7F)
  • Limits log message length to 200 chars
  • Prevents log flooding/forging attacks

3. Alert Documentation

File: .github/codeql/codeql-config.yml

Documents why certain alerts are accepted risks:

Alert Status Reason
py/clear-text-logging-sensitive-data Accepted Intentional debug feature, secrets masked by default
py/jinja2/autoescape-false Stale Files were removed from codebase
py/overly-permissive-file Accepted Test code on temporary directories

Test Plan

  • Container tests still pass
  • Dashboard WebSocket functionality works
  • Console logs are sanitized

@CybotTM
Security: Fix workflow permissions, log injection, and document alerts
21be200 
1. Workflow hardening (.github/workflows/container-test.yml):
   - Add explicit 'contents: read' permissions
   - Pin action SHAs for supply chain security:
     * actions/[email protected]
     * docker/[email protected]

2. Log injection fix (src/dashboard/static/js/dashboard.js):
   - Add sanitizeForLog() function to prevent log injection
   - Sanitize WebSocket message data before logging
   - Remove control characters and limit log length

3. CodeQL configuration (.github/codeql/codeql-config.yml):
   - Document accepted risks for intentional debug features
   - Note stale alerts for removed files
   - Configure security-extended queries

Alert Analysis:
- py/clear-text-logging-sensitive-data: False positive - secrets masked by default
- py/jinja2/autoescape-false: Stale alerts for removed files
- py/overly-permissive-file: Test code on temp directories
- js/log-injection: Fixed with sanitizeForLog()
github-advanced-security[bot]
github-advanced-security bot found potential problems Dec 19, 2025
View reviewed changes
CybotTM added 2 commits January 5, 2026 16:59
@CybotTM
Merge main into security/fix-codeql-alerts
7afd2ac
@CybotTM
fix(security): remove debug console.log to eliminate log injection
5c974dc 
Remove console.log statements that logged user-controlled WebSocket data.
CodeQL flagged these as log injection vulnerabilities (CWE-117).

Instead of sanitizing and logging, simply ignore the debug messages since
they're not critical for production operation.
@CybotTM CybotTM merged commit 9aa0f99 into main Jan 5, 2026
6 checks passed
@CybotTM CybotTM deleted the security/fix-codeql-alerts branch January 5, 2026 16:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@CybotTM