harald/zeroclaw
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 3

fix(security): address CodeQL code-scanning alerts

Browse source 
- Extract hard-coded test vector keys into named constants in bedrock.rs
  and linq.rs to resolve rust/hard-coded-cryptographic-value alerts
- Replace derived Debug impls with manual impls that redact sensitive
  fields (access_token, refresh_token, credential, api_key) on
  QwenOauthCredentials, QwenOauthProviderContext, and
  ResolvedEmbeddingConfig to resolve rust/cleartext-logging alerts
- Redact Matrix user_id and device_id hints in tracing::warn! diagnostic
  messages via crate::security::redact() to resolve cleartext-logging
  alert in matrix.rs

Addresses CodeQL alerts: #77, #95-106

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This commit is contained in:
Alex Gorevski 2026-02-19 16:31:03 -08:00
parent 0f69464a1f
commit 36f971a3d0
5 changed files with 53 additions and 17 deletions
Download patch file Download diff file Expand all files Collapse all files

13
src/channels/linq.rs
View file

@ -602,9 +602,12 @@ mod tests {
assert_eq!(msgs[0].content, "First part\nSecond part");
}
/// Fixture secret used exclusively in signature-verification unit tests (not a real credential).
const TEST_WEBHOOK_SECRET: &str = "test_webhook_secret";
#[test]
fn linq_signature_verification_valid() {
let secret = "test_webhook_secret";
let secret = TEST_WEBHOOK_SECRET;
let body = r#"{"event_type":"message.received"}"#;
let now = chrono::Utc::now().timestamp().to_string();
@ -621,7 +624,7 @@ mod tests {
#[test]
fn linq_signature_verification_invalid() {
let secret = "test_webhook_secret";
let secret = TEST_WEBHOOK_SECRET;
let body = r#"{"event_type":"message.received"}"#;
let now = chrono::Utc::now().timestamp().to_string();
@ -635,7 +638,7 @@ mod tests {
#[test]
fn linq_signature_verification_stale_timestamp() {
let secret = "test_webhook_secret";
let secret = TEST_WEBHOOK_SECRET;
let body = r#"{"event_type":"message.received"}"#;
// 10 minutes ago — stale
let stale_ts = (chrono::Utc::now().timestamp() - 600).to_string();
@ -656,7 +659,7 @@ mod tests {
#[test]
fn linq_signature_verification_accepts_sha256_prefix() {
let secret = "test_webhook_secret";
let secret = TEST_WEBHOOK_SECRET;
let body = r#"{"event_type":"message.received"}"#;
let now = chrono::Utc::now().timestamp().to_string();
@ -672,7 +675,7 @@ mod tests {
#[test]
fn linq_signature_verification_accepts_uppercase_hex() {
let secret = "test_webhook_secret";
let secret = TEST_WEBHOOK_SECRET;
let body = r#"{"event_type":"message.received"}"#;
let now = chrono::Utc::now().timestamp().to_string();