From 48b4bd42ebedcf62c7a17720be7b5015b6e17a1c Mon Sep 17 00:00:00 2001 From: VortexUK Date: Sat, 11 Jul 2026 13:23:11 +0100 Subject: [PATCH] fix(security): scrub the three remaining log-injection sites The refreshed main CodeQL analysis (post-#158) left three live alerts: the cache HIT log (one key log site missed in #158) and the aa.py effects-parse warning (crc/tier are FastAPI-typed ints that cannot carry CRLF, but scrub is free and clears the taint). Co-Authored-By: Claude Fable 5 --- backend/server/api/aa.py | 4 +++- backend/server/cache.py | 2 +- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/backend/server/api/aa.py b/backend/server/api/aa.py index cb6156ee..095100e8 100644 --- a/backend/server/api/aa.py +++ b/backend/server/api/aa.py @@ -330,7 +330,9 @@ async def get_spell_effects(spellcrc: int, tier: int = 0) -> SpellEffectsRespons try: effects = json.loads(row.get("effects", "[]")) except Exception as exc: - _log.warning("[aa] Failed to parse effects JSON for crc=%s tier=%s: %s", spellcrc, tier, exc) + _log.warning( + "[aa] Failed to parse effects JSON for crc=%s tier=%s: %s", scrub(spellcrc), scrub(tier), exc + ) effects = [] return SpellEffectsResponse( diff --git a/backend/server/cache.py b/backend/server/cache.py index aa82b199..b0eada73 100644 --- a/backend/server/cache.py +++ b/backend/server/cache.py @@ -81,7 +81,7 @@ def get(self, key: str) -> Any | None: self._update_size() self._inc_miss() return None - _log.debug("[cache] HIT %s", key) + _log.debug("[cache] HIT %s", scrub(key)) self._inc_hit() return value