Resolve CodeQL Alert #123 - Generated by GHA

[HackforLABot]

Prerequisite

1. Be a member of Hack for LA. (There are no fees to join.) If you have not joined yet, please follow the steps on our Getting Started page.
2. Before you claim or start working on an issue, please make sure you have read our How to Contribute to Hack for LA Guide.

Overview

We need to resolve the new alert (123) and either recommend dismissal of the alert or update the code files to resolve the alert.

Action Items

• [x] The following action item serves to "link" this issue as the "tracking issue" for the CodeQL alert and to provide more details regarding the alert:
• [x] https://github.com/hackforla/website/security/code-scanning/123
• [x] In a comment in this issue, add your analysis and recommendations. The recommendation can be one of the following: dismiss as test, dismiss as false positive, dismiss as won't fix, or update code. An example of a false positive is a report of a JavaScript syntax error that is caused by markdown or liquid symbols such as --- or {%
• [ ] If the recommendation is to dismiss the alert:
  • [ ] Apply the label ready for dev lead
  • [ ] Move the issue to Questions/In Review
• [ ] If the recommendation is to update code:
  • [ ] create an issue branch and proceed with the code update
  • [ ] The code file github-actions/trigger-schedule/add-update-label-weekly/add-label.js is used in the add update weekly label job within the GitHub Actions workflow .github/workflows/schedule-fri-0700.yml. GitHub Actions must be tested within a fork of the hackforla/website repository. For a description of the job and the process for testing the GitHub Action see https://github.com/hackforla/website/issues/4856#issuecomment-1974826346
  • [ ] proceed with pull request in the usual manner
• [ ] If the recommendation is to dismiss, describe your reason for dismissal in the comment, then move the issue to Questions/In Review and apply the label ready for dev lead.

Resources/Instructions

• HfLA website: CodeQL scan alert audits - issue 5005
• Code scanning results page
• CodeQL query help for JavaScript
• How to manage CodeQL alerts

This issue was automatically generated from the codeql.yml workflow

[github-actions[bot]]

Hi @HackforLABot.

Please don't forget to add the proper labels to this issue. Currently, the labels for the following are missing:

• Complexity, Role, Feature, Size

NOTE: Please ignore this comment if you do not have 'write' access to this directory.

To add a label, take a look at Github's documentation here.

Also, don't forget to remove the "missing labels" afterwards. To remove a label, the process is similar to adding a label, but you select a currently added label to remove it.

After the proper labels are added, the merge team will review the issue and add a "Ready for Prioritization" label once it is ready for prioritization.

Additional Resources:

• Wiki: How to create issues
• Wiki: How to read and interpret labels

[HackforLABot]

Hi @santisecco, thank you for taking up this issue! Hfla appreciates you :)

Do let fellow developers know about your:- i. Availability: (When are you available to work on the issue/answer questions other programmers might have about your issue?) ii. ETA: (When do you expect this issue to be completed?)

You're awesome!

P.S. - You may not take up another issue until this issue gets merged (or closed). Thanks again :)

[santisecco]

i. Availability: Mon-Wednesday ii. ETA: Wednesday 3pm

[santisecco]

The alert highlights a log injection threat. That's caused by users' comments.

Given the fact that we are all members of the organization commenting and working inside the repo, and each one of has already access to a host of code information the following is very improbable.

In the context of the code, the file add-label.js provides a function named minimizeComment(node_id). Line 441 is causing the alert, however upper lines in the function should be analyzed:

req.on('error', (error) => {
    console.error(error);
  });

The function sends a GraphQL mutation request to GitHub with the purpose of minimizing comments. Given the fact that we are dealing with user provided data, in this case "comments", it could be the case that a malicious actor utilizes this to generate deliberate error logs to do the following: (Particularly if the error logging contains parts of the comments provided by the user)

• The actor could print errors exposing sensitive information. Like in this case "projectBoardToken", for instance, present inside the API request.
• If for some reason the comment causes an error that is logged, special characters could be used to generate new logs, delete, or mutate existing ones. Making auditing difficult and hiding bad activity.

However, as outlined above, this is highly improbable.

The recommendation is dismiss as won't fix. But I would add a recommendation for this particular case. Also this problem will be addressed by an upcoming code refactoring after discussing the issue with a team leader.

Instead of logging the error. A quick fix is outlined below. Obviously this would make debugging more difficult but it would prevent this problem/alert from arising.

console.error("An error minimizing comments occurred")

Instead of:

console.error(error)

The best would be to develop a function that sanitizes all the data that is logged.