Skip to content

[security-fix] Security Fix: Unsafe quoting in validation error messages (Alert #19) #1703

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
pelikhan merged 1 commit into from
Oct 14, 2025
Merged

[security-fix] Security Fix: Unsafe quoting in validation error messages (Alert #19) #1703

pelikhan merged 1 commit into from
Oct 14, 2025

Conversation

@github-actions
Copy link
Contributor

@github-actions github-actions bot commented Oct 14, 2025

Security Fix: Unsafe Quoting in Validation Error Messages

Alert Number: #19
Severity: Critical
Rule: go/unsafe-quoting (CodeQL)
File: pkg/workflow/validation.go:35

Vulnerability Description

CodeQL identified a potentially unsafe quoting vulnerability in the validateExpressionSizes function. The code was constructing an error message with user-controlled input (YAML key names) embedded directly into a single-quoted string without proper escaping:

errorMsg = fmt.Sprintf("expression value for '%s' (%s) exceeds maximum allowed size (%s) at line %d. ...",
    key, actualSize, maxSizeFormatted, lineNum+1)

If a YAML key contains a single quote character, it could prematurely close the surrounding string literal, potentially changing the structure of the error message. While this specific instance has limited direct security impact (error messages), following secure coding practices prevents this pattern from being replicated in more sensitive contexts.

Fix Applied

Changed the format specifier from '%s' to %q which properly quotes and escapes the string according to Go syntax:

errorMsg = fmt.Sprintf("expression value for %q (%s) exceeds maximum allowed size (%s) at line %d. ...",
    key, actualSize, maxSizeFormatted, lineNum+1)

Security Best Practices

  1. Proper Escaping: The %q format verb automatically escapes special characters including quotes, backslashes, and control characters
  2. Defense in Depth: Even though error messages are low-risk, establishing secure patterns prevents similar vulnerabilities in higher-risk code
  3. Go Standard Library: Using built-in formatting functions is safer than manual string construction

Testing Considerations

  • Verify that error messages with special characters in key names display correctly
  • Test with YAML keys containing: single quotes, double quotes, backslashes, newlines
  • Confirm that the fix doesn't break existing error handling logic

Generated with Claude Code

AI generated by Security Fix PR

@github-actions @claude
Fix unsafe quoting in validation error messages (Alert #19)
4d9c40a 
Replace single-quote string formatting with %q format specifier to properly
escape user-controlled input in error messages. This prevents potential quote
injection vulnerabilities where malicious YAML key names containing single
quotes could break out of the string literal.

Security Impact:
- Prevents potential command injection or SQL injection if error messages
  are used in contexts that interpret quotes specially
- Follows Go best practices for safely embedding untrusted data in strings

Changes:
- Changed format string from '%s' to %q in validateExpressionSizes function
- The %q specifier automatically escapes special characters including quotes

Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
@pelikhan pelikhan marked this pull request as ready for review October 14, 2025 20:39
@pelikhan pelikhan merged commit cadd27b into main Oct 14, 2025
5 checks passed
@pelikhan pelikhan deleted the security-fix-alert-19-unsafe-quoting-validation-df767fe272f44d66 branch October 14, 2025 20:39
@github-actions
Copy link
Contributor Author

github-actions bot commented Oct 14, 2025

Agentic Changeset Generator triggered by this pull request

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pelikhan pelikhan pelikhan approved these changes

Assignees

No one assigned

Labels

automated-fix security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@pelikhan