fix(security): prevent log injection in WebSocket message logging

Sanitize WebSocket messages before logging to prevent log injection attacks. User-controlled data from WebSocket messages could contain newline characters that allow forging fake log entries. Changes: - Convert message object to JSON string and remove newlines/carriage returns - Use format specifier (%s) for safe string interpolation - Applied fix to providers/WebSocketProvider.tsx and hooks/useWebsockets.ts Resolves CodeQL security alert js/log-injection Co-authored-by: GitHub Copilot Autofix <noreply@github.com>
Potential fix for code scanning alert no. 219: Workflow does not contain permissions
2026-01-16 16:18:09 +00:00 · 2025-11-07 22:35:53 +01:00 · 2025-10-26 15:32:43 +01:00 · 2025-10-26 14:39:42 +01:00
6 changed files with 19 additions and 14 deletions
--- a/.github/workflows/notification.yml
+++ b/.github/workflows/notification.yml
@@ -1,4 +1,5 @@
 name: 🛎️ Discord Notification
 permissions: {}
 on:
  pull_request:
--- a/biome.json
+++ b/biome.json
@@ -1,5 +1,5 @@
 {
-  "$schema": "https://biomejs.dev/schemas/2.2.6/schema.json",
+  "$schema": "https://biomejs.dev/schemas/2.2.7/schema.json",
  "files": {
    "includes": [
      "**/*",
--- a/bun.lock
+++ b/bun.lock
@@ -83,7 +83,7 @@
      },
      "devDependencies": {
        "@babel/core": "7.28.5",
-        "@biomejs/biome": "2.2.6",
+        "@biomejs/biome": "2.2.7",
        "@react-native-community/cli": "20.0.2",
        "@react-native-tvos/config-tv": "0.1.4",
        "@types/jest": "30.0.0",
@@ -293,23 +293,23 @@
    "@babel/types": ["@babel/types@7.28.5", "", { "dependencies": { "@babel/helper-string-parser": "^7.27.1", "@babel/helper-validator-identifier": "^7.28.5" } }, "sha512-qQ5m48eI/MFLQ5PxQj4PFaprjyCTLI37ElWMmNs0K8Lk3dVeOdNpB3ks8jc7yM5CDmVC73eMVk/trk3fgmrUpA=="],
-    "@biomejs/biome": ["@biomejs/biome@2.2.6", "", { "optionalDependencies": { "@biomejs/cli-darwin-arm64": "2.2.6", "@biomejs/cli-darwin-x64": "2.2.6", "@biomejs/cli-linux-arm64": "2.2.6", "@biomejs/cli-linux-arm64-musl": "2.2.6", "@biomejs/cli-linux-x64": "2.2.6", "@biomejs/cli-linux-x64-musl": "2.2.6", "@biomejs/cli-win32-arm64": "2.2.6", "@biomejs/cli-win32-x64": "2.2.6" }, "bin": { "biome": "bin/biome" } }, "sha512-yKTCNGhek0rL5OEW1jbLeZX8LHaM8yk7+3JRGv08my+gkpmtb5dDE+54r2ZjZx0ediFEn1pYBOJSmOdDP9xtFw=="],
+    "@biomejs/biome": ["@biomejs/biome@2.2.7", "", { "optionalDependencies": { "@biomejs/cli-darwin-arm64": "2.2.7", "@biomejs/cli-darwin-x64": "2.2.7", "@biomejs/cli-linux-arm64": "2.2.7", "@biomejs/cli-linux-arm64-musl": "2.2.7", "@biomejs/cli-linux-x64": "2.2.7", "@biomejs/cli-linux-x64-musl": "2.2.7", "@biomejs/cli-win32-arm64": "2.2.7", "@biomejs/cli-win32-x64": "2.2.7" }, "bin": { "biome": "bin/biome" } }, "sha512-1a8j0UP1vXVUf3UzMZEJ/zS2VgAG6wU6Cuh/I764sUGI+MCnJs/9WaojHYBDCxCMLTgU60/WqnYof85emXmSBA=="],
-    "@biomejs/cli-darwin-arm64": ["@biomejs/cli-darwin-arm64@2.2.6", "", { "os": "darwin", "cpu": "arm64" }, "sha512-UZPmn3M45CjTYulgcrFJFZv7YmK3pTxTJDrFYlNElT2FNnkkX4fsxjExTSMeWKQYoZjvekpH5cvrYZZlWu3yfA=="],
+    "@biomejs/cli-darwin-arm64": ["@biomejs/cli-darwin-arm64@2.2.7", "", { "os": "darwin", "cpu": "arm64" }, "sha512-xBUUsebnO2/Qj1v7eZmKUy2ZcFkZ4/jLUkxN02Qup1RPoRaiW9AKXHrqS3L7iX6PzofHY2xuZ+Pb9kAcpoe0qA=="],
-    "@biomejs/cli-darwin-x64": ["@biomejs/cli-darwin-x64@2.2.6", "", { "os": "darwin", "cpu": "x64" }, "sha512-HOUIquhHVgh/jvxyClpwlpl/oeMqntlteL89YqjuFDiZ091P0vhHccwz+8muu3nTyHWM5FQslt+4Jdcd67+xWQ=="],
+    "@biomejs/cli-darwin-x64": ["@biomejs/cli-darwin-x64@2.2.7", "", { "os": "darwin", "cpu": "x64" }, "sha512-vsY4NhmxqgfLJufr9XUnC+yGUPJiXAc1mz6FcjaAmuIuLwfghN4uQO7hnW2AneGyoi2mNe9Jbvf6Qtq4AjzrFg=="],
-    "@biomejs/cli-linux-arm64": ["@biomejs/cli-linux-arm64@2.2.6", "", { "os": "linux", "cpu": "arm64" }, "sha512-BpGtuMJGN+o8pQjvYsUKZ+4JEErxdSmcRD/JG3mXoWc6zrcA7OkuyGFN1mDggO0Q1n7qXxo/PcupHk8gzijt5g=="],
+    "@biomejs/cli-linux-arm64": ["@biomejs/cli-linux-arm64@2.2.7", "", { "os": "linux", "cpu": "arm64" }, "sha512-nUdco104rjV9dULi1VssQ5R/kX2jE/Z2sDjyqS+siV9sTQda0DwmEUixFNRCWvZJRRiZUWhgiDFJ4n7RowO8Mg=="],
-    "@biomejs/cli-linux-arm64-musl": ["@biomejs/cli-linux-arm64-musl@2.2.6", "", { "os": "linux", "cpu": "arm64" }, "sha512-TjCenQq3N6g1C+5UT3jE1bIiJb5MWQvulpUngTIpFsL4StVAUXucWD0SL9MCW89Tm6awWfeXBbZBAhJwjyFbRQ=="],
+    "@biomejs/cli-linux-arm64-musl": ["@biomejs/cli-linux-arm64-musl@2.2.7", "", { "os": "linux", "cpu": "arm64" }, "sha512-FrTwvKO/7t5HbVTvhlMOTOVQLAcR7r4O4iFQhEpZXUtBfosHqrX/JJlX7daPawoe14MDcCu9CDg0zLVpTuDvuQ=="],
-    "@biomejs/cli-linux-x64": ["@biomejs/cli-linux-x64@2.2.6", "", { "os": "linux", "cpu": "x64" }, "sha512-1HaM/dpI/1Z68zp8ZdT6EiBq+/O/z97a2AiHMl+VAdv5/ELckFt9EvRb8hDHpk8hUMoz03gXkC7VPXOVtU7faA=="],
+    "@biomejs/cli-linux-x64": ["@biomejs/cli-linux-x64@2.2.7", "", { "os": "linux", "cpu": "x64" }, "sha512-tPTcGAIEOOZrj2tQ7fdraWlaxNKApBw6l4In8wQQV1IyxnAexqi0hykHzKEX8hKKctf5gxGBfNCzyIvqpj4CFQ=="],
-    "@biomejs/cli-linux-x64-musl": ["@biomejs/cli-linux-x64-musl@2.2.6", "", { "os": "linux", "cpu": "x64" }, "sha512-1ZcBux8zVM3JhWN2ZCPaYf0+ogxXG316uaoXJdgoPZcdK/rmRcRY7PqHdAos2ExzvjIdvhQp72UcveI98hgOog=="],
+    "@biomejs/cli-linux-x64-musl": ["@biomejs/cli-linux-x64-musl@2.2.7", "", { "os": "linux", "cpu": "x64" }, "sha512-MnsysF5s/iLC5wnYvuMseOy+m8Pd4bWG1uwlVyy2AUbfjAVUgtbYbboc5wMXljFrDY7e6rLjLTR4S2xqDpGlQg=="],
-    "@biomejs/cli-win32-arm64": ["@biomejs/cli-win32-arm64@2.2.6", "", { "os": "win32", "cpu": "arm64" }, "sha512-h3A88G8PGM1ryTeZyLlSdfC/gz3e95EJw9BZmA6Po412DRqwqPBa2Y9U+4ZSGUAXCsnSQE00jLV8Pyrh0d+jQw=="],
+    "@biomejs/cli-win32-arm64": ["@biomejs/cli-win32-arm64@2.2.7", "", { "os": "win32", "cpu": "arm64" }, "sha512-h5D1jhwA2b7cFXerYiJfXHSzzAMFFoEDL5Mc2BgiaEw0iaSgSso/3Nc6FbOR55aTQISql+IpB4PS7JoV26Gdbw=="],
-    "@biomejs/cli-win32-x64": ["@biomejs/cli-win32-x64@2.2.6", "", { "os": "win32", "cpu": "x64" }, "sha512-yx0CqeOhPjYQ5ZXgPfu8QYkgBhVJyvWe36as7jRuPrKPO5ylVDfwVtPQ+K/mooNTADW0IhxOZm3aPu16dP8yNQ=="],
+    "@biomejs/cli-win32-x64": ["@biomejs/cli-win32-x64@2.2.7", "", { "os": "win32", "cpu": "x64" }, "sha512-URqAJi0kONyBKG4V9NVafHLDtm6IHmF4qPYi/b6x7MD6jxpWeJiTCO6R5+xDlWckX2T/OGv6Yq3nkz6s0M8Ykw=="],
    "@bottom-tabs/react-navigation": ["@bottom-tabs/react-navigation@0.11.2", "", { "dependencies": { "color": "^5.0.0" }, "peerDependencies": { "@react-navigation/native": ">=7", "react": "*", "react-native": "*", "react-native-bottom-tabs": "*" } }, "sha512-xjRZZe3GZ/bIADBkJSe+qjRC/pQKcTEhZgtoGb4lyINq1NPzhKXhlZHwZLzNJng/Q/+F4RD3M7bQ6oCgSHV2WA=="],
--- a/hooks/useWebsockets.ts
+++ b/hooks/useWebsockets.ts
@@ -96,7 +96,9 @@ export const useWebSocket = ({
      | Record<string, string>
      | undefined; // Arguments are Dictionary<string, string>
-    console.log("[WS] ~ ", lastMessage);
+    // Sanitize output to avoid log injection
    const msgStr = JSON.stringify(lastMessage).replaceAll(/[\n\r]/g, " ");
    console.log("[WS] ~ %s", msgStr);
    if (command === "PlayPause") {
      console.log("Command ~ PlayPause");
--- a/package.json
+++ b/package.json
@@ -101,7 +101,7 @@
  },
  "devDependencies": {
    "@babel/core": "7.28.5",
-    "@biomejs/biome": "2.2.6",
+    "@biomejs/biome": "2.2.7",
    "@react-native-community/cli": "20.0.2",
    "@react-native-tvos/config-tv": "0.1.4",
    "@types/jest": "30.0.0",
--- a/providers/WebSocketProvider.tsx
+++ b/providers/WebSocketProvider.tsx
@@ -96,7 +96,9 @@ export const WebSocketProvider = ({ children }: WebSocketProviderProps) => {
    newWebSocket.onmessage = (e) => {
      try {
        const message = JSON.parse(e.data);
-        console.log("[WS] Received message:", message);
+        // Sanitize output to avoid log injection
        const msgStr = JSON.stringify(message).replaceAll(/[\n\r]/g, " ");
        console.log("[WS] Received message: %s", msgStr);
        setLastMessage(message); // Store the last message in context
      } catch (error) {
        console.error("Error parsing WebSocket message:", error);
Author	SHA1	Message	Date
Uruk	2c0ed076d5	fix(security): prevent log injection in WebSocket message logging Sanitize WebSocket messages before logging to prevent log injection attacks. User-controlled data from WebSocket messages could contain newline characters that allow forging fake log entries. Changes: - Convert message object to JSON string and remove newlines/carriage returns - Use format specifier (%s) for safe string interpolation - Applied fix to providers/WebSocketProvider.tsx and hooks/useWebsockets.ts Resolves CodeQL security alert js/log-injection Co-authored-by: GitHub Copilot Autofix <noreply@github.com>	2025-11-07 22:35:53 +01:00
Gauvain	118c24ee05	Potential fix for code scanning alert no. 219: Workflow does not contain permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>	2025-10-26 15:32:43 +01:00
renovate[bot]	61d60c2e74	chore(deps): Update dependency @biomejs/biome to v2.2.7 (#1142 ) Some checks failed 🏗️ Build Apps / 🤖 Build Android APK (Phone) (push) Has been cancelled Details 🚦 Security & Quality Gate / 🔍 Vulnerable Dependencies (push) Has been cancelled Details 🏗️ Build Apps / 🤖 Build Android APK (TV) (push) Has been cancelled Details 🏗️ Build Apps / 🍎 Build iOS IPA (Phone) (push) Has been cancelled Details 🔒 Lockfile Consistency Check / 🔍 Check bun.lock and package.json consistency (push) Has been cancelled Details 🛡️ CodeQL Analysis / 🔎 Analyze with CodeQL (actions) (push) Has been cancelled Details 🛡️ CodeQL Analysis / 🔎 Analyze with CodeQL (javascript-typescript) (push) Has been cancelled Details 🏷️🔀Merge Conflict Labeler / 🏷️ Labeling Merge Conflicts (push) Has been cancelled Details 🚦 Security & Quality Gate / 📝 Validate PR Title (push) Has been cancelled Details 🚦 Security & Quality Gate / 🚑 Expo Doctor Check (push) Has been cancelled Details 🚦 Security & Quality Gate / 🔍 Lint & Test (check) (push) Has been cancelled Details 🚦 Security & Quality Gate / 🔍 Lint & Test (format) (push) Has been cancelled Details 🚦 Security & Quality Gate / 🔍 Lint & Test (lint) (push) Has been cancelled Details 🚦 Security & Quality Gate / 🔍 Lint & Test (typecheck) (push) Has been cancelled Details 🕒 Handle Stale Issues / 🗑️ Cleanup Stale Issues (push) Has been cancelled Details 🌐 Translation Sync / sync-translations (push) Has been cancelled Details Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>	2025-10-26 14:39:42 +01:00