mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-07 19:31:31 +00:00
shankar0123
0f81c1b956
Two unrelated CI failures from run #25305811340; fixed in one
commit since neither needs the other to land first.
CodeQL alert #32 (go/log-injection at middleware.go:68) reopened
after b0fc067. The previous fix introduced a scrubLogValue helper
backed by strings.NewReplacer; CodeQL's taint tracker only
recognizes the literal strings.ReplaceAll pattern as a sanitizer
(matches the OWASP example in the rule docs). Wrapper helpers and
NewReplacer don't trigger the recognition, so the analyzer kept
flagging.
Fix: drop the helper. Inline strings.ReplaceAll chains directly at
the call site for r.Method and r.URL.Path. Same runtime semantics
(strip CR/LF/NUL); CodeQL pattern-matches the literal call so the
alert can finally close.
Loadtest CI failure (run #25305811340 'k6 throughput run' job at
make loadtest):
ERROR: failed to compute cache key: failed to calculate checksum
of ref ...: "/deploy/test/f5-mock-icontrol": not found
The f5-mock-icontrol Dockerfile has `COPY deploy/test/f5-mock-icontrol/
./` which assumes the build context is the repo root. The
docker-compose.test.yml f5-mock-icontrol service correctly uses the
long-form build:
build:
context: .. # = repo root from deploy/docker-compose.test.yml
dockerfile: deploy/test/f5-mock-icontrol/Dockerfile
The loadtest compose at deploy/test/loadtest/docker-compose.yml
used the shorthand:
build: ../f5-mock-icontrol
That sets context = the f5-mock-icontrol directory itself, breaking
the Dockerfile's COPY (it tries to find the directory inside itself).
Fix: change the loadtest compose to the long-form pattern matching
docker-compose.test.yml, with context: ../../.. (= repo root from
deploy/test/loadtest/) and explicit dockerfile path.
Verified locally:
gofmt: clean.
go vet ./internal/api/middleware/...: exit 0.
go test -short -count=1 ./internal/api/middleware/...: ok 0.253s.
python3 -c 'import yaml; yaml.safe_load(...)' on the compose
file: parses clean.
grep -rnE 'scrubLogValue' internal/api/: zero references (helper
fully dropped).
References:
https://github.com/certctl-io/certctl/security/code-scanning/32
CI run https://github.com/certctl-io/certctl/actions/runs/25305811340
Closes CodeQL #32 + restores loadtest CI.