akanealw/Charon
1
0
Fork 0
Code Issues Pull Requests Actions 16 Packages Projects Releases Wiki Activity

fix: sanitize user input for log injection protection in ProxyHostHandler

Browse Source
This commit is contained in:
GitHub Actions
2026-01-01 03:06:36 +00:00
parent 5a3f0fed62
commit beb230c0d6
2 changed files with 29 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
.github/codeql-custom-model.yml vendored
View File

@@ -42,3 +42,18 @@ extensions:
# TestURLConnectivity validates URLs internally via security.ValidateExternalURL
# and ssrfSafeDialer - it's a terminating function, not a pass-through
- ["github.com/Wikid82/charon/backend/internal/utils", "TestURLConnectivity", "manual"]
# Mark log sanitization functions as sanitizers for log injection (CWE-117)
# These functions remove newlines and control characters from user input before logging
- addsTo:
pack: codeql/go-all
extensible: summaryModel
data:
# util.SanitizeForLog sanitizes strings by:
# 1. Replacing \r\n and \n with spaces
# 2. Removing all control characters [\x00-\x1F\x7F]
# Input: Argument[0] (unsanitized string)
# Output: ReturnValue[0] (sanitized string - safe for logging)
- ["github.com/Wikid82/charon/backend/internal/util", "SanitizeForLog", "Argument[0]", "ReturnValue[0]", "taint", "manual"]
# handlers.sanitizeForLog is a local sanitizer with same behavior
- ["github.com/Wikid82/charon/backend/internal/api/handlers", "sanitizeForLog", "Argument[0]", "ReturnValue[0]", "taint", "manual"]