From e8b09f0ee3938afa88d836a1021ad6c3ebc498c3 Mon Sep 17 00:00:00 2001
From: Jonathan Flatt <jonflatt@gmail.com>
Date: Wed, 28 May 2025 05:28:46 -0500
Subject: [PATCH] fix: address security vulnerabilities and linting issues
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Fix log injection vulnerability by sanitizing user input in webhook logging
- Fix regex injection vulnerability by escaping profile names in AWS credential provider
- Remove unnecessary optional chaining operators based on TypeScript interface definitions
- Improve type safety and defensive programming practices
- Maintain backward compatibility while enhancing security

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 src/controllers/githubController.ts | 19 +++++++++++--------
 src/index.ts                        |  2 +-
 src/services/githubService.ts       | 12 +++++++-----
 src/utils/awsCredentialProvider.ts  |  7 ++++---
 4 files changed, 23 insertions(+), 17 deletions(-)

diff --git a/src/controllers/githubController.ts b/src/controllers/githubController.ts
index e1444ec..8bd0581 100644
--- a/src/controllers/githubController.ts
+++ b/src/controllers/githubController.ts
@@ -114,13 +114,13 @@ export const handleWebhook: WebhookHandler = async (req, res) => {
     const event = req.headers['x-github-event'] as string;
     const delivery = req.headers['x-github-delivery'] as string;
 
-    // Log webhook receipt with key details
+    // Log webhook receipt with key details (sanitize user input to prevent log injection)
     logger.info(
       {
         event,
         delivery,
-        sender: req.body.sender?.login,
-        repo: req.body.repository?.full_name
+        sender: req.body.sender.login.replace(/[\r\n\t]/g, '_'),
+        repo: req.body.repository.full_name.replace(/[\r\n\t]/g, '_')
       },
       `Received GitHub ${event} webhook`
     );
@@ -619,8 +619,8 @@ async function handleCheckSuiteCompleted(
       pullRequestCount: checkSuite.pull_requests ? checkSuite.pull_requests.length : 0,
       pullRequests: checkSuite.pull_requests?.map(pr => ({
         number: pr.number,
-        headRef: pr.head?.ref,
-        headSha: pr.head?.sha
+        headRef: pr.head.ref,
+        headSha: pr.head.sha
       }))
     },
     'Processing check_suite completed event'
@@ -689,7 +689,7 @@ async function handleCheckSuiteCompleted(
       repo: repo.full_name,
       checkSuite: checkSuite.id,
       conclusion: checkSuite.conclusion,
-      pullRequestCount: checkSuite.pull_requests?.length ?? 0,
+      pullRequestCount: (checkSuite.pull_requests ?? []).length,
       shouldTriggerReview,
       triggerReason,
       waitForAllChecks,
@@ -726,7 +726,7 @@ async function processAutomatedPRReviews(
 
       try {
         // Extract SHA from PR data first
-        const commitSha = pr.head?.sha;
+        const commitSha = pr.head.sha;
 
         if (!commitSha) {
           logger.error(
@@ -1432,7 +1432,10 @@ function getWorkflowNameFromCheckSuite(
 /**
  * Handle general webhook errors
  */
-function handleWebhookError(error: unknown, res: Response<WebhookResponse | ErrorResponse>): Response<WebhookResponse | ErrorResponse> {
+function handleWebhookError(
+  error: unknown,
+  res: Response<WebhookResponse | ErrorResponse>
+): Response<WebhookResponse | ErrorResponse> {
   const err = error as Error;
 
   // Generate a unique error reference
diff --git a/src/index.ts b/src/index.ts
index ca24d65..85e9775 100644
--- a/src/index.ts
+++ b/src/index.ts
@@ -119,7 +119,7 @@ app.get('/api/test-tunnel', (req, res: express.Response<TestTunnelResponse>) =>
     message: 'CF tunnel is working!',
     timestamp: new Date().toISOString(),
     headers: req.headers,
-    ip: req.ip ?? (req.connection as { remoteAddress?: string })?.remoteAddress
+    ip: req.ip ?? (req.connection as { remoteAddress?: string }).remoteAddress
   });
 });
 
diff --git a/src/services/githubService.ts b/src/services/githubService.ts
index 93159a7..8a8e2d4 100644
--- a/src/services/githubService.ts
+++ b/src/services/githubService.ts
@@ -594,11 +594,13 @@ export async function getCheckSuitesForRef({
         head_sha: suite.head_sha,
         status: suite.status,
         conclusion: suite.conclusion,
-        app: suite.app ? {
-          id: suite.app.id,
-          slug: suite.app.slug,
-          name: suite.app.name
-        } : null,
+        app: suite.app
+          ? {
+            id: suite.app.id,
+            slug: suite.app.slug,
+            name: suite.app.name
+          }
+          : null,
         pull_requests: null, // Simplified for our use case
         created_at: suite.created_at,
         updated_at: suite.updated_at,
diff --git a/src/utils/awsCredentialProvider.ts b/src/utils/awsCredentialProvider.ts
index 773f067..523c842 100644
--- a/src/utils/awsCredentialProvider.ts
+++ b/src/utils/awsCredentialProvider.ts
@@ -213,10 +213,11 @@ class AWSCredentialProvider {
       const credentialsContent = await fs.readFile(credentialsPath, 'utf8');
       const configContent = await fs.readFile(configPath, 'utf8');
 
-      // Parse credentials for the specific profile
-      const profileRegex = new RegExp(`\\[${profileName}\\]([^\\[]*)`);
+      // Parse credentials for the specific profile (escape profile name to prevent regex injection)
+      const escapedProfileName = profileName.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+      const profileRegex = new RegExp(`\\[${escapedProfileName}\\]([^\\[]*)`);
       const credentialsMatch = credentialsContent.match(profileRegex);
-      const configMatch = configContent.match(new RegExp(`\\[profile ${profileName}\\]([^\\[]*)`));
+      const configMatch = configContent.match(new RegExp(`\\[profile ${escapedProfileName}\\]([^\\[]*)`));
 
       if (!credentialsMatch && !configMatch) {
         const error = new Error(`Profile '${profileName}' not found`) as AWSCredentialError;