Skip to content

Fix CodeQL alerts#311

Merged
hendrikmennen merged 1 commit into
mainfrom
fix/codeql-alerts
Jul 10, 2026
Merged

Fix CodeQL alerts#311
hendrikmennen merged 1 commit into
mainfrom
fix/codeql-alerts

Conversation

@hendrikmennen

Copy link
Copy Markdown
Contributor

No description provided.

- Add explicit top-level GITHUB_TOKEN permissions blocks to 12 GitHub
  Actions workflows (actions/missing-workflow-permissions). Uses
  `contents: read` by default, and `{}` for publish-studio-all.yml
  which already grants `contents: write` at the job level.
- Sanitize newline/carriage-return characters from user-controlled
  values (OAuth callback `error` query parameters and the token
  endpoint response body) in OneWareCloudLoginService before they are
  written to the log, preventing log forging (cs/log-forging).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@hendrikmennen hendrikmennen merged commit cf8f039 into main Jul 10, 2026
8 checks passed
@hendrikmennen hendrikmennen deleted the fix/codeql-alerts branch July 10, 2026 15:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant