[security-fix] Security Fix: Sanitize validation results to prevent clear-text logging of sensitive information (Alert #71)

[github-actions]

Security Fix: Clear-text Logging of Sensitive Information

Alert Number: #71
Severity: High
Rule: go/clear-text-logging
CWE: CWE-312, CWE-315, CWE-359

Vulnerability Description

CodeQL detected a data flow vulnerability where sensitive information (secret key names) from the secretKeys variable in pkg/workflow/jobs.go:328 could flow to JSON output at pkg/cli/compile_orchestrator.go:586.

When compilation errors occur, error messages may inadvertently contain secret key names. These error messages are collected in ValidationResult structures and marshaled to JSON output without sanitization, potentially exposing sensitive infrastructure details in logs.

Root Cause Analysis

The vulnerability exists at the JSON output boundary in compile_orchestrator.go:

• Line 586 and line 644: fmt.Println(string(jsonBytes)) outputs validation results as JSON
• The validationResults structure contains error and warning messages from various sources
• Error messages may contain secret key names (e.g., GITHUB_TOKEN, API_KEY, etc.)
• CodeQL's taint analysis detects this as a data flow from sensitive sources to logging output

Previous fix attempts targeted individual error generation sites but didn't address the root cause at the JSON output boundary.

Fix Applied

Added comprehensive sanitization at the JSON output boundary:

1. sanitizeErrorMessage() function: Redacts potential secret key names using regex patterns:

   • Uppercase snake_case patterns (e.g., GITHUB_TOKEN, MY_SECRET_KEY)
   • PascalCase patterns (e.g., GitHubToken, ApiKey)
   • Excludes common words and protocol names (GET, POST, JSON, HTTP, etc.)
   • Replaces matches with [REDACTED] to prevent information disclosure

2. sanitizeValidationResults() function: Applies sanitization to all error and warning messages in validation results before JSON marshaling

3. Applied at both JSON output locations: Lines 644 and 1040 in compile_orchestrator.go

Security Best Practices Applied

• Defense in depth: Sanitization at the output boundary catches all potential leaks
• Pattern-based redaction: Uses regex to identify and redact sensitive patterns
• Whitelist approach: Common words are explicitly allowed to preserve error message utility
• Minimal information disclosure: Redacts only potential secret names, preserving error context

Testing

• All existing unit tests pass
• Sanitization function tested with various input patterns
• Verification tests show correct redaction of secret-like patterns while preserving common words

Examples

Error message sanitization:

• "error with GITHUB_TOKEN" → "error with [REDACTED]"
• "invalid API_KEY secret" → "invalid [REDACTED] secret"
• "GET request failed" → "GET request failed" (common word preserved)
• "JSON parsing error" → "JSON parsing error" (common word preserved)

Why This Fix Will Succeed

This fix addresses the root cause identified in previous attempts (cache memory entry #101):

• Sanitizes at the JSON output boundary, not at individual error sites
• Catches ALL potential secret key names regardless of where they originated
• Breaks the data flow that CodeQL detects from secretKeys to JSON marshaling
• No changes needed to error generation code throughout the codebase

Files Modified

• pkg/cli/compile_orchestrator.go:
  • Added sanitizeErrorMessage() function
  • Added sanitizeValidationResults() function
  • Applied sanitization before BOTH json.MarshalIndent() calls

References

• CodeQL Rule: go/clear-text-logging
• CWE-312: Cleartext Storage of Sensitive Information
• CWE-315: Cleartext Storage in a Cookie
• CWE-359: Exposure of Private Information

Related Issues

This is the comprehensive fix for alert #71 which has been challenging due to CodeQL's sophisticated taint tracking. Previous attempts focused on specific error generation sites, but this fix addresses the root cause by sanitizing at the JSON output boundary where all validation results are marshaled.

AI generated by Security Fix PR