Skip to content

fix: log-forging security fix, command validation, and query optimization#213

Merged
joszz merged 5 commits into
mainfrom
chore/fix-openapi-dependency-compat
Jul 3, 2026
Merged

fix: log-forging security fix, command validation, and query optimization#213
joszz merged 5 commits into
mainfrom
chore/fix-openapi-dependency-compat

Conversation

@joszz

@joszz joszz commented Jul 3, 2026

Copy link
Copy Markdown
Owner

Summary

  • Fix log forging (CWE-117 / CodeQL alert #452): sanitize the user-supplied username before writing it into the failed-login warning log, preventing CR/LF injection of forged log entries.
  • Cap the scheduled-charging command value at 500 characters before it's forwarded to MQTT.
  • Combine GetAggregateStatsAsync's two separate COUNT queries into a single grouped query.

Test plan

  • dotnet test src/GarageStack.Tests — 265/265 passing
  • New tests added for the scheduled-charging length cap and the aggregate-stats query behavior

🤖 Generated with Claude Code

joszz and others added 4 commits July 3, 2026 08:25
CodeQL flagged log forging (CWE-117): the raw, user-supplied username was
written into the failed-login log line, letting an attacker inject CR/LF to
forge fake log entries. Strip newlines before logging.

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
The scheduled-charging command accepted any non-empty string with no upper
bound before forwarding it to MQTT. Cap it at 500 characters.

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
GetAggregateStatsAsync ran two separate COUNT queries against
TelemetrySnapshots. Combine them into one grouped query with conditional
aggregates.

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
@joszz joszz enabled auto-merge July 3, 2026 06:58
Merging main into this branch silently dropped the internal modifier
back to private, since only main's side had touched that line and git
didn't flag it as a conflict. WidgetEndpoints (added on main) calls
FixedTimeEquals for its API-key check, so the build failed with CS0122
and two cascading CS8031 errors on unrelated lambdas in the same file.

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
@joszz joszz merged commit 3b6fa60 into main Jul 3, 2026
21 checks passed
@joszz joszz deleted the chore/fix-openapi-dependency-compat branch July 3, 2026 07:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant