fix(security): redact at source and cap marshal sizes for CodeQL

CodeQL kept flagging the merge logger because taint flowed Password ->
ClientMergeConflict.Old -> log even with a runtime redact helper -- the
analyzer can't prove the branch excludes credentials. Redact at the
source instead: uuid/password/auth/subId now only ever land in the
conflict struct as <redacted> placeholders, so no caller (log or
otherwise) can leak them.

For the ClientWithAttachments marshal overflow alert, replace the
MaxInt-len() arithmetic with explicit per-input size caps (256MB each),
which is the pattern CodeQL's own docs recommend and recognizes.
This commit is contained in:
MHSanaei
2026-05-19 12:48:01 +02:00
parent 788c979ad1
commit b36e5e0869
3 changed files with 11 additions and 25 deletions
+8 -6
View File
@@ -464,28 +464,30 @@ func MergeClientRecord(existing *ClientRecord, incoming *ClientRecord) []ClientM
keep := func(field string, oldV, newV, kept any) {
conflicts = append(conflicts, ClientMergeConflict{Field: field, Old: oldV, New: newV, Kept: kept})
}
const redacted = "<redacted>"
keepSecret := func(field string) {
conflicts = append(conflicts, ClientMergeConflict{Field: field, Old: redacted, New: redacted, Kept: redacted})
}
incomingNewer := incoming.UpdatedAt > existing.UpdatedAt ||
(incoming.UpdatedAt == existing.UpdatedAt && incoming.CreatedAt > existing.CreatedAt)
if existing.UUID != incoming.UUID && incoming.UUID != "" {
if incomingNewer || existing.UUID == "" {
keep("uuid", existing.UUID, incoming.UUID, incoming.UUID)
existing.UUID = incoming.UUID
} else {
keep("uuid", existing.UUID, incoming.UUID, existing.UUID)
}
keepSecret("uuid")
}
if existing.Password != incoming.Password && incoming.Password != "" {
if incomingNewer || existing.Password == "" {
keep("password", existing.Password, incoming.Password, incoming.Password)
existing.Password = incoming.Password
keepSecret("password")
}
}
if existing.Auth != incoming.Auth && incoming.Auth != "" {
if incomingNewer || existing.Auth == "" {
keep("auth", existing.Auth, incoming.Auth, incoming.Auth)
existing.Auth = incoming.Auth
keepSecret("auth")
}
}
if existing.Flow != incoming.Flow && incoming.Flow != "" {
@@ -502,8 +504,8 @@ func MergeClientRecord(existing *ClientRecord, incoming *ClientRecord) []ClientM
}
if existing.SubID != incoming.SubID && incoming.SubID != "" {
if incomingNewer || existing.SubID == "" {
keep("subId", existing.SubID, incoming.SubID, incoming.SubID)
existing.SubID = incoming.SubID
keepSecret("subId")
}
}
if existing.TotalGB != incoming.TotalGB {