singlexyz/ChatGPT-Next-Web
1
0
Fork 0
forked from XiaoMo/ChatGPT-Next-Web
Code Pull Requests Activity

[+] CodeQL Report Fix log injection vulnerability in useSyncStore

Browse Source 
Severity : High
Sanitize the 'res' object before logging it in the 'check' method of useSyncStore to prevent log injection attacks.
The 'res' object is now sanitized by extracting only the necessary properties ('status', 'statusText', and 'headers') and logging the sanitized object instead.
This ensures that only safe and expected data is logged, mitigating the risk of log injection vulnerabilities.
This commit is contained in:
B0zal 2023-09-11 08:49:08 +07:00
parent 9770b65146
commit 605dd72354
No known key found for this signature in database
GPG Key ID: 2359195A49CAA696
1 changed files with 6 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
app/store/sync.ts
View File

@ -56,7 +56,12 @@ export const useSyncStore = createPersistStore(
method: "PROFIND",
headers: this.headers(),
});
console.log(res);
const sanitizedRes = {
status: res.status,
statusText: res.statusText,
headers: res.headers,
};
console.log(sanitizedRes);
return res.status === 207;
} catch (e) {
console.error("[Sync] ", e);