fix(security): resolve CodeQL alert #442 (waitlist log injection)#137
Merged
Conversation
CodeQL py/log-injection alert #442 flagged the `logger.info` call in `patch_entry` because the `entry_id` path param (uuid.UUID) and `user.user_id` (also a UUID) flow into the log record's `extra` dict. The previous (`previous`) and next (`payload.status`) status fields were already sanitised inline in PR #136 to clear alerts #413 / #441, but CodeQL then surfaced #442 against the remaining two values. Both `entry_id` and `user.user_id` are typed as `uuid.UUID`, so their string form is always `[0-9a-f-]{36}` and cannot contain CR/LF. But CodeQL's taint tracker treats path params and auth-context values as user-controlled regardless of upstream validation, so the alert re-fired on the next scan. Apply the same inline `.replace("\r", "").replace("\n", " ")[:36]` sanitisation to `entry_id` and `user.user_id`, matching the pattern used for `previous` / `payload.status`. This silences the alert without weakening any existing guarantee.
3 tasks
beenuar
added a commit
that referenced
this pull request
May 14, 2026
Brings every cross-cutting doc surface in line with the 21 PRs that landed on `main` on 2026-05-14, anchored by the v8.0 architectural foundation (PR #125) and the security + correctness wave that followed it. - `CHANGELOG.md` — new `[Unreleased]` block covering the v8.0 architectural foundation (graph at ingest, four-agent rebrand, `/hunt`, sixteen connectors, automation maturity, public scoreboard), the eight-PR security hardening wave (PRs #116-#128), the three-PR CodeQL alert sweep to zero (#133, #136, #137), the UEBA env-var alignment (PR #135, first community contribution, closes #134), the security-smoke + UX cleanup pair (PR #132, closes #131 + #130), and the playbook engine correctness pass (PR #129). - `README.md` — new `v8.0 wave-1 (on main, not yet tagged)` entry in the version-history section; `Next` block rewritten as `v8.0 wave-2` with the still-`[~]` items from `AISOC_V8_PROGRESS.md`. Version badge intentionally not bumped (still 7.3.1) because wave-1 is on `main` but not tagged. - `AGENTS.md` — new `v8.0 wave-1` block under "Learned Workspace Facts" documenting the four-agent topology, `/hunt` surface, connector inventory, automation maturity ladder, security wave outcomes, CodeQL hygiene patterns (inline `replace`-chain sanitisation for `py/log-injection`, single import style for `py/import-and-import-from`), and the UEBA env-var dual-alias convention. - `AISOC_V8_PROGRESS.md` — `Status` block refreshed to record that PR #125 shipped at `b854010e` on 2026-05-14, list the 12 post-merge PRs that landed on `main` after it, and clarify that wave-2 is the still-tracked `[~]` work. - `apps/docs/docs/deployment/env-vars.md` — UEBA section rewritten around the dual-alias rule (unprefixed wins over `UEBA_`-prefixed, matches every other Python service and the `docker-compose.yml` exports); table now lists canonical + legacy names side by side. - `apps/docs/docs/operations/security.md` — new `Static analysis (CodeQL)` section: zero alerts on `main` as a CI gate, plus the two patterns that came up repeatedly during the sweep (inline-at-call-site sanitisation for `py/log-injection`, single import style for `py/import-and-import-from`). No code changes; pure documentation sync. Co-authored-by: Beenu Arora <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Resolves the last open CodeQL alert: #442
py/log-injectioninservices/api/app/api/v1/endpoints/waitlist.py.PR #136 already inlined
.replace()sanitisation forprevious/payload.status(the values flagged by alerts #413 / #441), but the next CodeQL scan surfaced a new sub-alert against the samelogger.infocall — this time tainting onentry_id(path param) anduser.user_id(auth context), which also flow into the logextradict.Both values are typed as
uuid.UUID, so their string form is always[0-9a-f-]{36}and cannot contain CR/LF. But CodeQL's taint tracker treats path params and auth-context values as user-controlled regardless of upstream validation, so the alert re-fired.Fix
Apply the same inline sanitisation pattern that already covered the status fields:
and log
safe_entry_id/safe_actorin place ofstr(entry_id)/str(user.user_id). No behaviour change — these were already canonical UUID strings — but now the sanitiser is explicit at the call site, which is what CodeQL's static analyser needs.Verification
python3 -m py_compile services/api/app/api/v1/endpoints/waitlist.py✅ruff format✅ (no changes)ruff check✅After merge, CodeQL re-runs on
mainand alert #442 should auto-close, bringing open alerts to 0.Test plan
Made with Cursor