Skip to content

Fix CodeQL security vulnerabilities and lint issues#61

Merged
rvguha merged 2 commits intomainfrom
fix/codeql-lint-issues
Feb 12, 2026
Merged

Fix CodeQL security vulnerabilities and lint issues#61
rvguha merged 2 commits intomainfrom
fix/codeql-lint-issues

Conversation

@rvguha
Copy link
Contributor

@rvguha rvguha commented Feb 12, 2026

Summary

  • Security Fixes: Fix SSRF, XML bomb, path injection, double-escaping, stack trace exposure, and clear-text logging vulnerabilities identified by GitHub Code Scanning

Security Fixes

Vulnerability Severity Location Fix
SSRF Critical crawler/master.py Added is_safe_url() validation
XML Bomb High crawler/master.py Replaced xml.etree with defusedxml
Path Injection High frontend/chat-app/bin/nlweb-chat.mjs Use resolve() with proper boundary check
Double Escaping High ChatSearch.tsx Move & decoding to last
Clear-text Logging High create_test_user.py Mask API keys in output
Stack Trace Exposure Medium api.py, SSE interfaces Return generic error messages
Workflow Permissions Medium check.yml Add explicit permissions: contents: read

Test plan

  • Run make check in ask_api, crawler, and frontend directories
  • Verify security alerts are resolved after merge (CodeQL will re-scan)
  • Test crawler with external URLs to ensure SSRF protection works

🤖 Generated with Claude Code

rvguha and others added 2 commits February 12, 2026 14:31
@rvguha @claude
Fix CodeQL security vulnerabilities and lint issues
5166fda 
## Security Fixes

| Vulnerability | Severity | Location | Fix |
|--------------|----------|----------|-----|
| SSRF | Critical | crawler/master.py | Added `is_safe_url()` validation |
| XML Bomb | High | crawler/master.py | Replaced `xml.etree` with `defusedxml` |
| Path Injection | High | frontend/chat-app/bin/nlweb-chat.mjs | Use `resolve()` with proper boundary check |
| Double Escaping | High | ChatSearch.tsx | Move `&` decoding to last |
| Clear-text Logging | High | create_test_user.py | Mask API keys in output |
| Stack Trace Exposure | Medium | api.py, SSE interfaces | Return generic error messages |
| Workflow Permissions | Medium | check.yml | Add explicit `permissions: contents: read` |

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
@rvguha @claude
Merge main into fix/codeql-lint-issues
f902fdd 
Resolve conflicts in SSE handlers while preserving both:
- Security fix: use logger.exception() instead of exposing stack traces
- Main branch improvement: handle mid-stream errors gracefully

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
@rvguha rvguha merged commit 5ec7ec5 into main Feb 12, 2026
9 checks passed
@prasjaiswal prasjaiswal mentioned this pull request Feb 15, 2026
Merged
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@rvguha