π Release: beta β master#87
Conversation
β¦ck.js; deploy health debug Made-with: Cursor
Made-with: Cursor
Made-with: Cursor
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| }, | ||
| ); | ||
| function logErr(prefix, err) { | ||
| console.error(`[healthcheck] ${prefix}`, err); |
Check warning
Code scanning / CodeQL
Log injection Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 2 months ago
In general, the fix is to avoid writing raw, potentially user-controlled strings (including error messages) directly to logs. Instead, sanitize them to remove or neutralize control characters (especially \n and \r) or clearly delimit them so they cannot forge additional log entries.
For this specific code, the cleanest low-impact change is to modify logErr so it never passes potentially untrusted values directly to console.error. Instead, build a safe, single-line string representation of the error or reason by:
- Extracting a meaningful message (from
err.message,err.toString(), orString(err)). - Stripping newline and carriage-return characters.
- Including a minimal type indicator if useful (e.g.,
ErrorName: message).
We then log just that sanitized string along with the prefix, keeping semantics the same (we still report the error) while preventing multi-line injection. Only the logErr helper and its immediate logging call need to change, within healthcheck.js, and no new imports or dependencies are required.
| @@ -18,7 +18,11 @@ | ||
| } | ||
|
|
||
| function logErr(prefix, err) { | ||
| console.error(`[healthcheck] ${prefix}`, err); | ||
| const raw = (err && typeof err === 'object' && 'message' in err) | ||
| ? String(err.message) | ||
| : String(err); | ||
| const safe = raw.replace(/[\r\n]+/g, ' '); | ||
| console.error(`[healthcheck] ${prefix}: ${safe}`); | ||
| } | ||
|
|
||
| process.on('uncaughtException', (err) => { |
2 participants
π Automated Release PR
This PR contains all changes from beta to master.
π¦ Latest Changes
π§ Notes