Skip to content

merge: merge develop to master #1483

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
ielgnaw merged 19 commits into from
Nov 27, 2025
Merged

merge: merge develop to master #1483

ielgnaw merged 19 commits into from
Nov 27, 2025

Conversation

@terlinhe
Copy link
Collaborator

@terlinhe terlinhe commented Nov 27, 2025

No description provided.

terlinhe and others added 19 commits July 9, 2025 22:52
@terlinhe
fix: 限制server请求url
5e11fa1 
# Reviewed, transaction id: 49711
@ielgnaw
Merge pull request #1475 from terlinhe/fix_problems
90602c1 
fix: 限制server请求url
@terlinhe
fix: unzip解压处理
b7380b9 
# Reviewed, transaction id: 50255
@ielgnaw
Merge pull request #1476 from terlinhe/fix_problems
e25005c 
fix: unzip解压处理
@terlinhe
feat: --story=127136780 支持在数据库配置允许远程函数访问的主域名
7b0cfde 
# Reviewed, transaction id: 58097
@ielgnaw
Merge pull request #1477 from terlinhe/fix_problems
910d765 
feat: --story=127136780 支持在数据库配置允许远程函数访问的主域名
@terlinhe
feat: --story=127795383 vue3项目预览时, 容器样式隔离不生效
6d928b3
@terlinhe
fix: 问题修复
e28ce2c 
# Reviewed, transaction id: 59650
@terlinhe
feat: --story=118295653 对接新版bkvision
c294d1f 
# Reviewed, transaction id: 59666
@ielgnaw
Merge pull request #1478 from terlinhe/fix_problems
b502c22 
feat: --story=127795383 vue3项目预览时, 容器样式隔离不生效 & 对接新版bkvision
@terlinhe
feat: 升级axios版本
145794b
@terlinhe
fix: 文件写入优化
e1c0ec7
@terlinhe
feat: 函数列表过滤条件支持funccode
dea5c22
@terlinhe
feat: 防范属性输入公共方法抽取
3a9e655 
# Reviewed, transaction id: 60455
@ielgnaw
Merge pull request #1479 from terlinhe/fix_problems
9e2723f 
feat: 防范属性输入公共方法抽取 & 升级axios版本
@LivySara
feat: xss防护
a1eabbf 
# Reviewed, transaction id: 64339
@terlinhe
Merge pull request #1480 from LivySara/lc-livy-dev-1017
b5bb6db 
feat: xss防护
@terlinhe
feat: --story=128886695 升级typeorm
a8e234e 
# Reviewed, transaction id: 65983
@ielgnaw
Merge pull request #1482 from terlinhe/fix_problems
8055e44 
feat: --story=128886695 升级typeorm
github-advanced-security[bot]
github-advanced-security bot found potential problems Nov 27, 2025
View reviewed changes
lib/shared/security/property-injection-guard.js

if (!isSafePropertyKey(key)) {
if (strict) {
console.warn(`[Security] Rejected unsafe property key: ${key}`)

Check warning

Code scanning / CodeQL

Log injection Medium

Log entry depends on a
user-provided value
Loading
.
Log entry depends on a
user-provided value
Loading
.

Copilot Autofix

AI 2 months ago

To fix this log injection problem, the specific line (console.warn at line 105 in lib/shared/security/property-injection-guard.js and the similar usage at line 81) should sanitize the key value before writing it to the logs.

The recommended way, in case log files are plain text, is to remove line breaks (\n and \r) or replace them with a visible marker. Also, if the key is not a string for some reason, we should safely coerce it. The most straightforward fix is to replace all instances of ${key} with ${sanitizeForLog(key)}, where sanitizeForLog strips or escapes problematic characters.

This can be achieved by:

  1. Adding a helper function sanitizeForLog in lib/shared/security/property-injection-guard.js that removes or encodes newline and carriage return characters from the string.
  2. Rewriting log statements on lines 81 and 105 to use sanitizeForLog(key) instead of interpolating the raw key value.

No external dependencies are required.

Suggested changeset 1
lib/shared/security/property-injection-guard.js

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/lib/shared/security/property-injection-guard.js b/lib/shared/security/property-injection-guard.js
--- a/lib/shared/security/property-injection-guard.js
+++ b/lib/shared/security/property-injection-guard.js
@@ -3,6 +3,13 @@
  * @author LessCode Security Team
  */
 
+// Helper to sanitize user input before logging (removes newline/carriage returns etc.)
+function sanitizeForLog(value) {
+    if (typeof value !== 'string') value = String(value)
+    // Remove line breaks and carriage returns to avoid log injection
+    return value.replace(/[\r\n]/g, '')
+}
+
 // 禁止的属性名,这些属性可能被用于原型链污染攻击
 const FORBIDDEN_KEYS = [
     '__proto__',
@@ -78,7 +85,7 @@
                     }
                 } else if (strict) {
                     // 严格模式下,记录不安全的属性但拒绝合并
-                    console.warn(`[Security] Rejected unsafe property key: ${key}`)
+                    console.warn(`[Security] Rejected unsafe property key: ${sanitizeForLog(key)}`)
                 }
             }
         }
@@ -102,7 +109,7 @@
     
     if (!isSafePropertyKey(key)) {
         if (strict) {
-            console.warn(`[Security] Rejected unsafe property key: ${key}`)
+            console.warn(`[Security] Rejected unsafe property key: ${sanitizeForLog(key)}`)
             return false
         }
         return false
@@ -128,7 +135,7 @@
             if (isSafePropertyKey(key)) {
                 callback(key, obj[key])
             } else if (strict) {
-                console.warn(`[Security] Skipped unsafe property key: ${key}`)
+                console.warn(`[Security] Skipped unsafe property key: ${sanitizeForLog(key)}`)
             }
         }
     }
EOF
@@ -3,6 +3,13 @@
* @author LessCode Security Team
*/

// Helper to sanitize user input before logging (removes newline/carriage returns etc.)
function sanitizeForLog(value) {
if (typeof value !== 'string') value = String(value)
// Remove line breaks and carriage returns to avoid log injection
return value.replace(/[\r\n]/g, '')
}

// 禁止的属性名,这些属性可能被用于原型链污染攻击
const FORBIDDEN_KEYS = [
'__proto__',
@@ -78,7 +85,7 @@
}
} else if (strict) {
// 严格模式下,记录不安全的属性但拒绝合并
console.warn(`[Security] Rejected unsafe property key: ${key}`)
console.warn(`[Security] Rejected unsafe property key: ${sanitizeForLog(key)}`)
}
}
}
@@ -102,7 +109,7 @@

if (!isSafePropertyKey(key)) {
if (strict) {
console.warn(`[Security] Rejected unsafe property key: ${key}`)
console.warn(`[Security] Rejected unsafe property key: ${sanitizeForLog(key)}`)
return false
}
return false
@@ -128,7 +135,7 @@
if (isSafePropertyKey(key)) {
callback(key, obj[key])
} else if (strict) {
console.warn(`[Security] Skipped unsafe property key: ${key}`)
console.warn(`[Security] Skipped unsafe property key: ${sanitizeForLog(key)}`)
}
}
}
Copilot is powered by AI and may make mistakes. Always verify output.
@tencentblueking-adm
Copy link

tencentblueking-adm commented Nov 27, 2025
edited
Loading

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you all sign our Contributor License Agreement before we can accept your contribution.
2 out of 3 committers have signed the CLA.

✅ terlinhe
✅ ielgnaw
❌ LivySara
You have signed the CLA already but the status is still pending? Let us recheck it.

@ielgnaw ielgnaw merged commit 57ec22c into master Nov 27, 2025
7 of 8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ielgnaw ielgnaw ielgnaw approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@terlinhe @tencentblueking-adm @ielgnaw @LivySara