Skip to content

chore: security updates#324

Open
yashmehrotra wants to merge 5 commits into
masterfrom
sec-upd
Open

chore: security updates#324
yashmehrotra wants to merge 5 commits into
masterfrom
sec-upd

Conversation

@yashmehrotra

@yashmehrotra yashmehrotra commented Jul 3, 2026

Copy link
Copy Markdown
Member

Summary by CodeRabbit

  • Bug Fixes

    • Improved log sanitization so secrets are redacted more consistently, including URLs, query strings, and trace output.
    • Updated HTTP logging to better handle formatted messages and reduce accidental secret exposure.
  • Documentation

    • Added a security policy with guidance for reporting vulnerabilities and expected response timelines.
  • Tests

    • Added fuzz and unit test coverage for secret redaction.
    • Improved HTTP tests by using local test servers instead of external requests.
  • Chores

    • Tightened GitHub Actions permissions across workflows.
    • Updated several dependencies.

@socket-security

socket-security Bot commented Jul 3, 2026

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Updatedgithub.com/​flanksource/​commons@​v1.47.2 ⏵ v1.53.171 +1100100100100
Updatedgithub.com/​ulikunitz/​xz@​v0.5.12 ⏵ v0.5.1596100 +2100100100

View full report

@coderabbitai

coderabbitai Bot commented Jul 3, 2026

Copy link
Copy Markdown

Review Change Stack

Warning

Review limit reached

@yashmehrotra, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 56 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 8df9df45-cb22-44a3-858b-f4771e39c066

📥 Commits

Reviewing files that changed from the base of the PR and between bf7a7ce and e6561f8.

📒 Files selected for processing (2)
  • http/curl.go
  • logger/sanitize.go

Walkthrough

This PR restricts GitHub Actions workflow token permissions, adds a SECURITY.md policy, hardens secret redaction in logger/sanitize.go (SHA-256 hashing, stricter URL gating, first-delimiter splitting) applied through Tracef and HTTP logging paths, refactors HTTP tests to use a local TLS server, and bumps Go module dependencies.

Changes

Secret redaction hardening

Layer / File(s) Summary
Core sanitize.go redaction logic
logger/sanitize.go, logger/sanitize_fuzz_test.go, logger/sanitize_test.go
Long-secret hashing switches from MD5 to SHA-256, URL redaction fast-path requires non-empty scheme/host and no whitespace, key/value splitting uses first-delimiter only, and new fuzz plus URL-query redaction tests are added.
Tracef propagation
logger/default.go, http/client.go, http/curl.go, http/digest.go
Tracef now strips secrets from formatted messages; call sites in the AWS Sigv4 tracer and curl logging pass explicit %s format strings, and digest hash selection gains clarifying comments.
HTTP middleware logger redaction and URL formatting
http/middlewares/logger.go
sanitizeBody falls back to StripSecrets, logAt/jsonLogAt strip secrets from formatted messages before logging, and jsonLogger/prettyLogger use accessURL(req) and %s formatting.

HTTP test infrastructure improvements

Layer / File(s) Summary
Local TLS header-echo server
http/http_test.go
Adds newHeaderEchoServer and rewires "Host Header" and "No Auth" subtests to use a local TLS server instead of external httpbin.org requests.

CI workflow permissions and security policy

Layer / File(s) Summary
Workflow permissions restrictions
.github/workflows/hx-test.yml, .github/workflows/lint.yml, .github/workflows/release.yml, .github/workflows/test.yml
Adds contents: read at the workflow level for hx-test, lint, and test workflows, and adds workflow/job-level permissions in release.yml, including write scopes for semantic-release.
Security policy
SECURITY.md
Adds vulnerability reporting instructions and response/disclosure timelines.

Go module dependency updates

Layer / File(s) Summary
Root go.mod bumps
go.mod
Bumps ulikunitz/xz, OpenTelemetry modules, go-jose, and golang.org/x/sys.
cmd/hx/go.mod bumps
cmd/hx/go.mod
Bumps flanksource/commons, replaces go-http-digest-auth-client with antchfx xmlquery/xpath, bumps gomplate/is-healthy/go-jose, adds groupcache, and upgrades OpenTelemetry and golang.org/x/sys.

Compact metadata: 16 files changed across workflows, security policy, HTTP client/logging, logger sanitization, and Go module dependencies.

Related issues: None linked in the provided information.

Related PRs: None linked in the provided information.

Suggested labels: security, dependencies, ci

Suggested reviewers: None specified.

🐰 A rabbit hops through logs so neat,
Stripping secrets, no repeat,
Workflows locked with read-only key,
SHA-256 sets long hashes free,
TLS test server, local and light,
Modules bumped, all set right.

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title matches the main theme of tightening security and updating related dependencies.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch sec-upd
✨ Simplify code
  • Create PR with simplified code
  • Commit simplified code in branch sec-upd

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@yashmehrotra yashmehrotra requested a review from moshloop July 3, 2026 12:40
@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown

Gavel summary

Source Pass Fail Skip Duration
github.com/flanksource/commons/http 93 2 2 12.8s
github.com/flanksource/commons/logger 45 2 0 10ms
lint: golangci-lint 0 1 0 759.653µs
collections 49 0 0 3.0s
files 41 0 0 43ms
github.com/flanksource/commons/certs 4 0 0 220ms
github.com/flanksource/commons/cmd/hx 8 0 0 -
github.com/flanksource/commons/cmd/hx/parse 26 0 0 -
github.com/flanksource/commons/collections/syncmap 10 0 0 -
github.com/flanksource/commons/context 1 0 0 -
github.com/flanksource/commons/duration 2 0 0 -
github.com/flanksource/commons/files 16 0 0 -
github.com/flanksource/commons/har 30 0 0 -
github.com/flanksource/commons/hash 13 0 0 -
github.com/flanksource/commons/logger/httpretty/internal/color 15 0 0 -
github.com/flanksource/commons/logger/httpretty/internal/header 1 0 0 -
github.com/flanksource/commons/lookup 7 0 0 -
github.com/flanksource/commons/test 5 0 1 20ms
github.com/flanksource/commons/text 1 0 0 -
github.com/flanksource/commons/tokenizer 3 0 0 -
lint: betterleaks 0 0 1 -
logger 41 0 0 1ms
set 7 0 0 405.258µs

Totals: 418 passed · 5 failed · 4 skipped · 16.1s

Failing tests

github.com/flanksource/commons/http — TestToCurl/auth_headers_are_included_unredacted

curl_test.go:58: 
        Expected
            <string>: curl -X GET 'https://example.com' -H 'Authorization: Bearer ****n' -H 'Cookie: session=abc123'
        to contain substring
            <string>: -H 'Authorization: Bearer secret-token'

github.com/flanksource/commons/http — TestToCurl

github.com/flanksource/commons/logger — TestSanitize

github.com/flanksource/commons/logger — TestSanitize/Leave_non-sensitive_headers_intact

sanitize_test.go:82:   http.Header{
        - 	"Accept-Language": {"e****"},
        + 	"Accept-Language": {"en-US"},
        - 	"User-Agent":      {"****0"},
... (2 more lines truncated)

Failing linters

golangci-lint — error

golangci-lint execution failed: fork/exec /home/runner/work/commons/commons/.gavel/golangci-lint: exec format error
Output:

View full results

Comment thread http/middlewares/logger.go
Comment thread logger/default.go
Comment thread logger/sanitize.go Fixed

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@logger/sanitize.go`:
- Around line 132-134: The URL fast-path in sanitize logic is only redacting
userinfo and still leaves sensitive query parameters exposed, so update the
handling in the URL parsing branch to redact or sanitize RawQuery before
returning. Use the sanitize path around url.Parse/text checks in sanitize.go,
and ensure the fast-path applies the same sensitive-key protection as the
IsSensitiveKey loop so absolute URLs with secrets in query strings are not
logged verbatim.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: e1ddf3ab-fc92-4d1c-9063-1190a6349768

📥 Commits

Reviewing files that changed from the base of the PR and between 516bc6d and 7d42fe5.

⛔ Files ignored due to path filters (2)
  • cmd/hx/go.sum is excluded by !**/*.sum
  • go.sum is excluded by !**/*.sum
📒 Files selected for processing (14)
  • .github/workflows/hx-test.yml
  • .github/workflows/lint.yml
  • .github/workflows/release.yml
  • .github/workflows/test.yml
  • SECURITY.md
  • cmd/hx/go.mod
  • go.mod
  • http/client.go
  • http/curl.go
  • http/digest.go
  • http/middlewares/logger.go
  • logger/default.go
  • logger/sanitize.go
  • logger/sanitize_fuzz_test.go

Comment thread logger/sanitize.go
yashmehrotra and others added 2 commits July 3, 2026 22:37
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
logger/sanitize_test.go (1)

88-102: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

New test correctly validates URL query redaction.

Verified against StripSecrets's URL fast-path (query key redaction + uri.Redacted() password masking): the assertions correctly hold given PrintableSecret's output format for a 12-char secret and Go's URL redaction behavior.

Minor stylistic note: assertions use substring Contains checks rather than an exact-match comparison (like cmp.Diff used in TestSanitize above). This is sufficient to catch the leak scenario being tested, but an exact expected-string comparison would be a more precise regression guard against future changes to query encoding order or redaction format.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@logger/sanitize_test.go` around lines 88 - 102, The new
TestStripSecretsURLQuery in StripSecrets should use an exact expected-string
assertion instead of only Contains checks so it more precisely guards the URL
redaction behavior. Update the test to compare the full sanitized output from
StripSecrets against the expected redacted URL, while still validating the
query-key redaction and password masking behavior exercised by the URL
fast-path.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@logger/sanitize_test.go`:
- Around line 88-102: The new TestStripSecretsURLQuery in StripSecrets should
use an exact expected-string assertion instead of only Contains checks so it
more precisely guards the URL redaction behavior. Update the test to compare the
full sanitized output from StripSecrets against the expected redacted URL, while
still validating the query-key redaction and password masking behavior exercised
by the URL fast-path.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: ed0e3540-1977-4752-8c16-fed0b8068b89

📥 Commits

Reviewing files that changed from the base of the PR and between 7d42fe5 and bf7a7ce.

⛔ Files ignored due to path filters (1)
  • cmd/hx/go.sum is excluded by !**/*.sum
📒 Files selected for processing (4)
  • cmd/hx/go.mod
  • http/http_test.go
  • logger/sanitize.go
  • logger/sanitize_test.go
🚧 Files skipped from review as they are similar to previous changes (2)
  • logger/sanitize.go
  • cmd/hx/go.mod

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants