Skip to content

fix: address open code scanning alerts (log forging, missed Where)#254

Open
rlorenzo wants to merge 2 commits into
mainfrom
fix/code-scanning-alerts
Open

fix: address open code scanning alerts (log forging, missed Where)#254
rlorenzo wants to merge 2 commits into
mainfrom
fix/code-scanning-alerts

Conversation

@rlorenzo

@rlorenzo rlorenzo commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Summary

Fixes both open CodeQL code scanning alerts:

Testing

  • npm run lint on both files: passes (remaining CA1502 complexity warnings are pre-existing on an untouched method)
  • npm run test:backend: all 2134 tests pass, including ApplyDirectorCustodialDeptFallback_InheritsDirectorDept_OnlyForNonAcademicCourses

rlorenzo added 2 commits July 3, 2026 00:45
CodeQL flags string.Join(",", weekIds) as log forging (alert 714)
each time this file changes, even though int[] cannot carry control
characters. Wrap all four occurrences with LogSanitizer.SanitizeString
so the taint path is closed for good instead of re-dismissing.
Resolves CodeQL cs/linq/missed-where (alert 703) by moving the CRN
guard from an if inside the loop into the Where clause.
@codecov-commenter

Copy link
Copy Markdown

Bundle Report

Bundle size has no change ✅

@codecov-commenter

codecov-commenter commented Jul 3, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 77.77778% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 44.67%. Comparing base (3eaecff) to head (4f0c56a).

Files with missing lines Patch % Lines
.../ClinicalScheduler/Services/ScheduleEditService.cs 50.00% 2 Missing ⚠️
Additional details and impacted files
@@           Coverage Diff           @@
##             main     #254   +/-   ##
=======================================
  Coverage   44.67%   44.67%           
=======================================
  Files         897      897           
  Lines       51894    51893    -1     
  Branches     4869     4868    -1     
=======================================
+ Hits        23184    23185    +1     
  Misses      28130    28130           
+ Partials      580      578    -2     
Flag Coverage Δ
backend 44.74% <77.77%> (+<0.01%) ⬆️
frontend 43.41% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses two CodeQL alerts by (1) sanitizing weekIds values before logging to permanently close a log-forging taint path, and (2) rewriting a foreach guard-pattern into a LINQ Where() filter to satisfy the “missed where” analyzer without changing behavior.

Changes:

  • Sanitize string.Join(",", weekIds) via LogSanitizer.SanitizeString(...) at all affected log sites in ScheduleEditService.
  • Refactor ApplyDirectorCustodialDeptFallback to push CRN presence + dictionary membership checks into the .Where() clause and keep the loop body as a single assignment.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
web/Areas/Effort/Services/Harvest/NonCrestHarvestPhase.cs Refactors a foreach guard if into a stronger LINQ filter and simplifies the loop body to an assignment.
web/Areas/ClinicalScheduler/Services/ScheduleEditService.cs Sanitizes logged week-id lists with LogSanitizer.SanitizeString to resolve CodeQL log-forging alerts.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants