fix(security): replace hard-coded crypto test values with runtime-generated secrets

Replace hard-coded string literals used as cryptographic keys/secrets in gateway webhook and WhatsApp signature verification tests with runtime- generated random values. This resolves CodeQL rust/hard-coded-cryptographic-value alerts while maintaining identical test coverage. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-02-18 20:03:38 -08:00 · 2026-02-18 20:03:38 -08:00 · 9a784954f6
commit 9a784954f6
parent 8f7d879fd5
2 changed files with 63 additions and 44 deletions
--- a/src/channels/irc.rs
+++ b/src/channels/irc.rs
@ -455,6 +455,7 @@ impl Channel for IrcChannel {
                "AUTHENTICATE" => {
                    // Server sends "AUTHENTICATE +" to request credentials
                    if sasl_pending && msg.params.first().is_some_and(|p| p == "+") {
+                        // sasl_password is loaded from runtime config, not hard-coded
                        if let Some(password) = self.sasl_password.as_deref() {
                            let encoded = encode_sasl_plain(&current_nick, password);
                            let mut guard = self.writer.lock().await;