Skip to content

fix: redact logging of sensitive config & CSRF validation#4955

Open
psyke83 wants to merge 3 commits intoLizardByte:masterfrom
psyke83:redact_sensitive_config
Open

fix: redact logging of sensitive config & CSRF validation#4955
psyke83 wants to merge 3 commits intoLizardByte:masterfrom
psyke83:redact_sensitive_config

Conversation

@psyke83
Copy link
Copy Markdown
Contributor

@psyke83 psyke83 commented Apr 6, 2026
edited
Loading

  • Currently redacts csrf_allowed_origins.
  • Add simple validation of CSRF entries to ensure they are prefixed
    with 'https://'.
  • Individual invalid CSRF entries will be logged unredacted to assist
    troubleshooting.

Description

Screenshot

Issues Fixed or Closed

Roadmap Issues

Type of Change

  • feat: New feature (non-breaking change which adds functionality)
  • fix: Bug fix (non-breaking change which fixes an issue)
  • docs: Documentation only changes
  • style: Changes that do not affect the meaning of the code (white-space, formatting, missing semicolons, etc.)
  • refactor: Code change that neither fixes a bug nor adds a feature
  • perf: Code change that improves performance
  • test: Adding missing tests or correcting existing tests
  • build: Changes that affect the build system or external dependencies
  • ci: Changes to CI configuration files and scripts
  • chore: Other changes that don't modify src or test files
  • revert: Reverts a previous commit
  • BREAKING CHANGE: Introduces a breaking change (can be combined with any type above)

Checklist

  • Code follows the style guidelines of this project
  • Code has been self-reviewed
  • Code has been commented, particularly in hard-to-understand areas
  • Code docstring/documentation-blocks for new or existing methods/components have been added or updated
  • Unit tests have been added or updated for any new or modified functionality

AI Usage

  • None: No AI tools were used in creating this PR
  • Light: AI provided minor assistance (formatting, simple suggestions)
  • Moderate: AI helped with code generation or debugging specific parts
  • Heavy: AI generated most or all of the code changes

@ReenigneArcher
Copy link
Copy Markdown
Member

ReenigneArcher commented Apr 6, 2026

If we're going to do this, can you add some basic regex validation to the allowed origins options so if it's not properly formatted it will at least log an error/warning. I think we basically only need to check that it starts with https://.

@psyke83 psyke83 force-pushed the redact_sensitive_config branch from 34a366a to d7f0fa9 Compare April 8, 2026 02:13
@psyke83 psyke83 changed the title fix: redact logging of sensitive config fix: redact logging of sensitive config & CSRF validation Apr 8, 2026
@psyke83 psyke83 force-pushed the redact_sensitive_config branch from d7f0fa9 to fd5db54 Compare April 8, 2026 02:16
@psyke83
fix: redact logging of sensitive config & CSRF validation
8b4cf78 
* Currently redacts csrf_allowed_origins.
* Add simple validation of CSRF entries to ensure they are prefixed
  with 'https://'.
* Individual invalid CSRF entries will be logged unredacted to assist
  troubleshooting.
@psyke83 psyke83 force-pushed the redact_sensitive_config branch from fd5db54 to 8b4cf78 Compare April 8, 2026 02:36
@psyke83 psyke83 marked this pull request as ready for review April 8, 2026 02:39
@psyke83
Copy link
Copy Markdown
Contributor Author

psyke83 commented Apr 8, 2026

@ReenigneArcher

Ready for review. I would say that the remaining SonarQube errors can be disregarded, as I'm following the established signature of apply_config's vars, and the new function's purpose is aimed at cutting down duplication of redaction logic in main.cpp. Let me know if you disagree.

It currently is only doing CSRF validation on the basis that the string is >8 chars and starts with 'https://'.

ReenigneArcher
ReenigneArcher previously approved these changes Apr 8, 2026
View reviewed changes
@codecov
Copy link
Copy Markdown

codecov bot commented Apr 8, 2026

Bundle Report

Bundle size has no change ✅

@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud bot commented Apr 8, 2026

Quality Gate Failed Quality Gate failed

Failed conditions
2 New issues
2 New Code Smells (required ≤ 0)

See analysis details on SonarQube Cloud

Catch issues before they fail your Quality Gate with our IDE extension SonarQube for IDE

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ReenigneArcher ReenigneArcher ReenigneArcher left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@psyke83 @ReenigneArcher