Merge pull request #9 from gluk-w/security-fixes

FizzWizZleDazzle · web-flow · commit 797b9f033226 · 2026-02-19T18:38:07.000-05:00
Fix CodeQL security vulnerabilities
diff --git a/control-plane/frontend/src/hooks/useChat.ts b/control-plane/frontend/src/hooks/useChat.ts
@@ -143,8 +143,9 @@ export function useChat(instanceId: number, enabled: boolean) {
               { id: nextId(), role, content, timestamp: Date.now() },
             ]);
           } else {
-            // Log unknown events for debugging
-            console.log("[chat] gateway event:", ev, payload);
+            // Log unknown events for debugging (sanitize to prevent log injection)
+            const sanitizedEv = String(ev).replace(/[\n\r]/g, ' ');
+            console.log("[chat] gateway event:", sanitizedEv, payload);
           }
           break;
         }
diff --git a/control-plane/frontend/src/pages/InstanceDetailPage.tsx b/control-plane/frontend/src/pages/InstanceDetailPage.tsx
@@ -116,7 +116,7 @@ export default function InstanceDetailPage() {
     navigate(`#${tab}`, { replace: true });
   };
 
-  const [chatOpen, setChatOpen] = useState(false);
+  const [chatOpen, _setChatOpen] = useState(false);
   const chatInitSentRef = useRef(false);
 
   const logsHook = useInstanceLogs(instanceId, activeTab === "logs");
diff --git a/control-plane/internal/config/openclaw.go b/control-plane/internal/config/openclaw.go
@@ -2,11 +2,14 @@ package config
 
 import (
 	"context"
+	"encoding/base64"
 	"encoding/json"
 	"fmt"
 	"log"
 	"strings"
 	"time"
+
+	"github.com/gluk-w/claworc/control-plane/internal/logutil"
 )
 
 // InstanceOps defines the generic primitives needed to configure an instance.
@@ -34,7 +37,7 @@ func ConfigureInstance(ctx context.Context, ops InstanceOps, name string, models
 
 	// Wait for instance to become running
 	if !waitForRunning(ctx, ops, name, 120*time.Second) {
-		log.Printf("Timed out waiting for %s to start; models/keys not configured", name)
+		log.Printf("Timed out waiting for %s to start; models/keys not configured", logutil.SanitizeForLog(name))
 		return
 	}
 
@@ -46,7 +49,7 @@ func ConfigureInstance(ctx context.Context, ops InstanceOps, name string, models
 		}
 		data := []byte(strings.Join(lines, "\n") + "\n")
 		if err := ops.WriteFile(ctx, name, pathClaworcKeys, data); err != nil {
-			log.Printf("Error writing API keys for %s: %v", name, err)
+			log.Printf("Error writing API keys for %s: %v", logutil.SanitizeForLog(name), err)
 			return
 		}
 	}
@@ -63,18 +66,20 @@ func ConfigureInstance(ctx context.Context, ops InstanceOps, name string, models
 		}
 		modelJSON, err := json.Marshal(modelConfig)
 		if err != nil {
-			log.Printf("Error marshaling model config for %s: %v", name, err)
+			log.Printf("Error marshaling model config for %s: %v", logutil.SanitizeForLog(name), err)
 			return
 		}
+		// Use base64 encoding to safely pass JSON through shell
+		b64 := base64.StdEncoding.EncodeToString(modelJSON)
 		cmd := []string{"su", "-", "claworc", "-c",
-			fmt.Sprintf("openclaw config set agents.defaults.model '%s' --json", string(modelJSON))}
+			fmt.Sprintf("openclaw config set agents.defaults.model \"$(echo '%s' | base64 -d)\" --json", b64)}
 		_, stderr, code, err := ops.ExecInInstance(ctx, name, cmd)
 		if err != nil {
-			log.Printf("Error setting model config for %s: %v", name, err)
+			log.Printf("Error setting model config for %s: %v", logutil.SanitizeForLog(name), err)
 			return
 		}
 		if code != 0 {
-			log.Printf("Failed to set model config for %s: %s", name, stderr)
+			log.Printf("Failed to set model config for %s: %s", logutil.SanitizeForLog(name), logutil.SanitizeForLog(stderr))
 			return
 		}
 	}
@@ -83,14 +88,14 @@ func ConfigureInstance(ctx context.Context, ops InstanceOps, name string, models
 	cmd := []string{"su", "-", "claworc", "-c", "openclaw gateway stop"}
 	_, stderr, code, err := ops.ExecInInstance(ctx, name, cmd)
 	if err != nil {
-		log.Printf("Error restarting gateway for %s: %v", name, err)
+		log.Printf("Error restarting gateway for %s: %v", logutil.SanitizeForLog(name), err)
 		return
 	}
 	if code != 0 {
-		log.Printf("Failed to restart gateway for %s: %s", name, stderr)
+		log.Printf("Failed to restart gateway for %s: %s", logutil.SanitizeForLog(name), logutil.SanitizeForLog(stderr))
 		return
 	}
-	log.Printf("Models and API keys configured for %s", name)
+	log.Printf("Models and API keys configured for %s", logutil.SanitizeForLog(name))
 }
 
 func waitForRunning(ctx context.Context, ops InstanceOps, name string, timeout time.Duration) bool {
diff --git a/control-plane/internal/handlers/control.go b/control-plane/internal/handlers/control.go
@@ -15,6 +15,7 @@ import (
 	"github.com/coder/websocket"
 	"github.com/gluk-w/claworc/control-plane/internal/crypto"
 	"github.com/gluk-w/claworc/control-plane/internal/database"
+	"github.com/gluk-w/claworc/control-plane/internal/logutil"
 	"github.com/gluk-w/claworc/control-plane/internal/middleware"
 	"github.com/gluk-w/claworc/control-plane/internal/orchestrator"
 	"github.com/go-chi/chi/v5"
@@ -184,7 +185,7 @@ func ControlProxy(w http.ResponseWriter, r *http.Request) {
 		targetURL += "?" + r.URL.RawQuery
 	}
 
-	log.Printf("Control proxy: %s → %s", r.URL.Path, targetURL)
+	log.Printf("Control proxy: %s → %s", logutil.SanitizeForLog(r.URL.Path), logutil.SanitizeForLog(targetURL))
 	resp, err := getProxyClient().Get(targetURL)
 	if err != nil {
 		log.Printf("Control proxy error: %v", err)
@@ -261,7 +262,7 @@ func controlWSProxy(w http.ResponseWriter, r *http.Request) {
 		}
 	}
 
-	log.Printf("Control WS proxy: %s → %s", r.URL.Path, wsURL)
+	log.Printf("Control WS proxy: %s → %s", logutil.SanitizeForLog(r.URL.Path), logutil.SanitizeForLog(wsURL))
 	upstreamConn, _, err := websocket.Dial(dialCtx, wsURL, dialOpts)
 	if err != nil {
 		log.Printf("Control WS proxy: upstream dial error: %v", err)
diff --git a/control-plane/internal/handlers/files.go b/control-plane/internal/handlers/files.go
@@ -11,6 +11,7 @@ import (
 	"strings"
 
 	"github.com/gluk-w/claworc/control-plane/internal/database"
+	"github.com/gluk-w/claworc/control-plane/internal/logutil"
 	"github.com/gluk-w/claworc/control-plane/internal/middleware"
 	"github.com/gluk-w/claworc/control-plane/internal/orchestrator"
 	"github.com/go-chi/chi/v5"
@@ -47,7 +48,7 @@ func BrowseFiles(w http.ResponseWriter, r *http.Request) {
 
 	entries, err := orch.ListDirectory(r.Context(), inst.Name, dirPath)
 	if err != nil {
-		log.Printf("Failed to list directory %s for instance %s: %v", dirPath, inst.Name, err)
+		log.Printf("Failed to list directory %s for instance %s: %v", logutil.SanitizeForLog(dirPath), logutil.SanitizeForLog(inst.Name), err)
 		writeError(w, http.StatusInternalServerError, fmt.Sprintf("Failed to list directory: %v", err))
 		return
 	}
@@ -90,7 +91,7 @@ func ReadFileContent(w http.ResponseWriter, r *http.Request) {
 
 	content, err := orch.ReadFile(r.Context(), inst.Name, filePath)
 	if err != nil {
-		log.Printf("Failed to read file %s for instance %s: %v", filePath, inst.Name, err)
+		log.Printf("Failed to read file %s for instance %s: %v", logutil.SanitizeForLog(filePath), logutil.SanitizeForLog(inst.Name), err)
 		writeError(w, http.StatusInternalServerError, fmt.Sprintf("Failed to read file: %v", err))
 		return
 	}
diff --git a/control-plane/internal/handlers/instances.go b/control-plane/internal/handlers/instances.go
@@ -16,6 +16,7 @@ import (
 	"github.com/gluk-w/claworc/control-plane/internal/config"
 	"github.com/gluk-w/claworc/control-plane/internal/crypto"
 	"github.com/gluk-w/claworc/control-plane/internal/database"
+	"github.com/gluk-w/claworc/control-plane/internal/logutil"
 	"github.com/gluk-w/claworc/control-plane/internal/middleware"
 	"github.com/gluk-w/claworc/control-plane/internal/orchestrator"
 	"github.com/go-chi/chi/v5"
@@ -543,7 +544,7 @@ func CreateInstance(w http.ResponseWriter, r *http.Request) {
 			EnvVars:         envVars,
 		})
 		if err != nil {
-			log.Printf("Failed to create container resources for %s: %v", name, err)
+			log.Printf("Failed to create container resources for %s: %v", logutil.SanitizeForLog(name), err)
 			database.DB.Model(&inst).Update("status", "error")
 			return
 		}
@@ -709,7 +710,7 @@ func DeleteInstance(w http.ResponseWriter, r *http.Request) {
 
 	if orch := orchestrator.Get(); orch != nil {
 		if err := orch.DeleteInstance(r.Context(), inst.Name); err != nil {
-			log.Printf("Failed to delete container resources for %s – proceeding with DB cleanup: %v", inst.Name, err)
+			log.Printf("Failed to delete container resources for %s – proceeding with DB cleanup: %v", logutil.SanitizeForLog(inst.Name), err)
 		}
 	}
 
diff --git a/control-plane/internal/logutil/sanitize.go b/control-plane/internal/logutil/sanitize.go
@@ -0,0 +1,23 @@
+package logutil
+
+import "strings"
+
+// SanitizeForLog removes newlines and control characters from user-provided
+// strings to prevent log injection attacks where attackers could inject
+// fake log entries by including newline characters.
+func SanitizeForLog(s string) string {
+	// Replace all newlines with spaces
+	s = strings.ReplaceAll(s, "\n", " ")
+	s = strings.ReplaceAll(s, "\r", " ")
+	// Replace tabs with spaces
+	s = strings.ReplaceAll(s, "\t", " ")
+	// Remove other control characters (ASCII 0-31 except space)
+	var result strings.Builder
+	result.Grow(len(s))
+	for _, r := range s {
+		if r >= 32 || r == ' ' {
+			result.WriteRune(r)
+		}
+	}
+	return result.String()
+}
diff --git a/control-plane/internal/orchestrator/common.go b/control-plane/internal/orchestrator/common.go
@@ -7,6 +7,8 @@ import (
 	"log"
 	"strings"
 	"time"
+
+	"github.com/gluk-w/claworc/control-plane/internal/logutil"
 )
 
 const PathOpenClawConfig = "/home/claworc/.openclaw/openclaw.json"
@@ -21,29 +23,29 @@ type WaitFunc func(ctx context.Context, name string, timeout time.Duration) bool
 
 func configureGatewayToken(ctx context.Context, execFn ExecFunc, name, token string, waitFn WaitFunc) {
 	if !waitFn(ctx, name, 120*time.Second) {
-		log.Printf("Timed out waiting for %s to start; gateway token not configured", name)
+		log.Printf("Timed out waiting for %s to start; gateway token not configured", logutil.SanitizeForLog(name))
 		return
 	}
 	cmd := []string{"su", "-", "claworc", "-c", fmt.Sprintf("openclaw config set gateway.auth.token %s", token)}
 	_, stderr, code, err := execFn(ctx, name, cmd)
 	if err != nil {
-		log.Printf("Error configuring gateway token for %s: %v", name, err)
+		log.Printf("Error configuring gateway token for %s: %v", logutil.SanitizeForLog(name), err)
 		return
 	}
 	if code != 0 {
-		log.Printf("Failed to configure gateway token for %s: %s", name, stderr)
+		log.Printf("Failed to configure gateway token for %s: %s", logutil.SanitizeForLog(name), logutil.SanitizeForLog(stderr))
 		return
 	}
 	_, stderr, code, err = execFn(ctx, name, cmdGatewayStop)
 	if err != nil {
-		log.Printf("Error restarting gateway for %s: %v", name, err)
+		log.Printf("Error restarting gateway for %s: %v", logutil.SanitizeForLog(name), err)
 		return
 	}
 	if code != 0 {
-		log.Printf("Failed to restart gateway for %s: %s", name, stderr)
+		log.Printf("Failed to restart gateway for %s: %s", logutil.SanitizeForLog(name), logutil.SanitizeForLog(stderr))
 		return
 	}
-	log.Printf("Gateway token configured for %s", name)
+	log.Printf("Gateway token configured for %s", logutil.SanitizeForLog(name))
 }
 
 func updateInstanceConfig(ctx context.Context, execFn ExecFunc, name string, configJSON string) error {
diff --git a/control-plane/internal/orchestrator/docker.go b/control-plane/internal/orchestrator/docker.go
@@ -17,6 +17,7 @@ import (
 	dockerclient "github.com/docker/docker/client"
 	"github.com/docker/go-units"
 	"github.com/gluk-w/claworc/control-plane/internal/config"
+	"github.com/gluk-w/claworc/control-plane/internal/logutil"
 )
 
 const (
@@ -156,7 +157,7 @@ func (d *DockerOrchestrator) CreateInstance(ctx context.Context, params CreatePa
 			Labels: map[string]string{"managed-by": labelManagedBy, "instance": params.Name},
 		})
 		if err != nil {
-			log.Printf("Volume %s may already exist: %v", volName, err)
+			log.Printf("Volume %s may already exist: %v", logutil.SanitizeForLog(volName), err)
 		}
 	}
 
@@ -316,14 +317,14 @@ func (d *DockerOrchestrator) DeleteInstance(ctx context.Context, name string) er
 	// Remove container
 	err := d.client.ContainerRemove(ctx, name, container.RemoveOptions{Force: true})
 	if err != nil && !dockerclient.IsErrNotFound(err) {
-		log.Printf("Remove container %s: %v", name, err)
+		log.Printf("Remove container %s: %v", logutil.SanitizeForLog(name), err)
 	}
 
 	// Remove volumes
 	for _, suffix := range volumeSuffixes {
 		volName := d.volumeName(name, suffix)
 		if err := d.client.VolumeRemove(ctx, volName, true); err != nil && !dockerclient.IsErrNotFound(err) {
-			log.Printf("Remove volume %s: %v", volName, err)
+			log.Printf("Remove volume %s: %v", logutil.SanitizeForLog(volName), err)
 		}
 	}
 	return nil

Original file line number	Diff line number	Diff line change
`@@ -143,8 +143,9 @@ export function useChat(instanceId: number, enabled: boolean) {`
`143`	`143`	`{ id: nextId(), role, content, timestamp: Date.now() },`
`144`	`144`	`]);`
`145`	`145`	`} else {`
`146`		`- // Log unknown events for debugging`
`147`		`- console.log("[chat] gateway event:", ev, payload);`
	`146`	`+ // Log unknown events for debugging (sanitize to prevent log injection)`
	`147`	`+ const sanitizedEv = String(ev).replace(/[\n\r]/g, ' ');`
	`148`	`+ console.log("[chat] gateway event:", sanitizedEv, payload);`
`148`	`149`	`}`
`149`	`150`	`break;`
`150`	`151`	`}`
Original file line number	Diff line number	Diff line change
`@@ -2,11 +2,14 @@ package config`
`2`	`2`
`3`	`3`	`import (`
`4`	`4`	`"context"`
	`5`	`+ "encoding/base64"`
`5`	`6`	`"encoding/json"`
`6`	`7`	`"fmt"`
`7`	`8`	`"log"`
`8`	`9`	`"strings"`
`9`	`10`	`"time"`
	`11`	`+`
	`12`	`+ "github.com/gluk-w/claworc/control-plane/internal/logutil"`
`10`	`13`	`)`
`11`	`14`
`12`	`15`	`// InstanceOps defines the generic primitives needed to configure an instance.`
`@@ -34,7 +37,7 @@ func ConfigureInstance(ctx context.Context, ops InstanceOps, name string, models`
`34`	`37`
`35`	`38`	`// Wait for instance to become running`
`36`	`39`	`if !waitForRunning(ctx, ops, name, 120*time.Second) {`
`37`		`- log.Printf("Timed out waiting for %s to start; models/keys not configured", name)`
	`40`	`+ log.Printf("Timed out waiting for %s to start; models/keys not configured", logutil.SanitizeForLog(name))`
`38`	`41`	`return`
`39`	`42`	`}`
`40`	`43`
`@@ -46,7 +49,7 @@ func ConfigureInstance(ctx context.Context, ops InstanceOps, name string, models`
`46`	`49`	`}`
`47`	`50`	`data := []byte(strings.Join(lines, "\n") + "\n")`
`48`	`51`	`if err := ops.WriteFile(ctx, name, pathClaworcKeys, data); err != nil {`
`49`		`- log.Printf("Error writing API keys for %s: %v", name, err)`
	`52`	`+ log.Printf("Error writing API keys for %s: %v", logutil.SanitizeForLog(name), err)`
`50`	`53`	`return`
`51`	`54`	`}`
`52`	`55`	`}`
`@@ -63,18 +66,20 @@ func ConfigureInstance(ctx context.Context, ops InstanceOps, name string, models`
`63`	`66`	`}`
`64`	`67`	`modelJSON, err := json.Marshal(modelConfig)`
`65`	`68`	`if err != nil {`
`66`		`- log.Printf("Error marshaling model config for %s: %v", name, err)`
	`69`	`+ log.Printf("Error marshaling model config for %s: %v", logutil.SanitizeForLog(name), err)`
`67`	`70`	`return`
`68`	`71`	`}`
	`72`	`+ // Use base64 encoding to safely pass JSON through shell`
	`73`	`+ b64 := base64.StdEncoding.EncodeToString(modelJSON)`
`69`	`74`	`cmd := []string{"su", "-", "claworc", "-c",`
`70`		`- fmt.Sprintf("openclaw config set agents.defaults.model '%s' --json", string(modelJSON))}`
	`75`	`+ fmt.Sprintf("openclaw config set agents.defaults.model \"$(echo '%s' \| base64 -d)\" --json", b64)}`
`71`	`76`	`_, stderr, code, err := ops.ExecInInstance(ctx, name, cmd)`
`72`	`77`	`if err != nil {`
`73`		`- log.Printf("Error setting model config for %s: %v", name, err)`
	`78`	`+ log.Printf("Error setting model config for %s: %v", logutil.SanitizeForLog(name), err)`
`74`	`79`	`return`
`75`	`80`	`}`
`76`	`81`	`if code != 0 {`
`77`		`- log.Printf("Failed to set model config for %s: %s", name, stderr)`
	`82`	`+ log.Printf("Failed to set model config for %s: %s", logutil.SanitizeForLog(name), logutil.SanitizeForLog(stderr))`
`78`	`83`	`return`
`79`	`84`	`}`
`80`	`85`	`}`
`@@ -83,14 +88,14 @@ func ConfigureInstance(ctx context.Context, ops InstanceOps, name string, models`
`83`	`88`	`cmd := []string{"su", "-", "claworc", "-c", "openclaw gateway stop"}`
`84`	`89`	`_, stderr, code, err := ops.ExecInInstance(ctx, name, cmd)`
`85`	`90`	`if err != nil {`
`86`		`- log.Printf("Error restarting gateway for %s: %v", name, err)`
	`91`	`+ log.Printf("Error restarting gateway for %s: %v", logutil.SanitizeForLog(name), err)`
`87`	`92`	`return`
`88`	`93`	`}`
`89`	`94`	`if code != 0 {`
`90`		`- log.Printf("Failed to restart gateway for %s: %s", name, stderr)`
	`95`	`+ log.Printf("Failed to restart gateway for %s: %s", logutil.SanitizeForLog(name), logutil.SanitizeForLog(stderr))`
`91`	`96`	`return`
`92`	`97`	`}`
`93`		`- log.Printf("Models and API keys configured for %s", name)`
	`98`	`+ log.Printf("Models and API keys configured for %s", logutil.SanitizeForLog(name))`
`94`	`99`	`}`
`95`	`100`
`96`	`101`	`func waitForRunning(ctx context.Context, ops InstanceOps, name string, timeout time.Duration) bool {`
Original file line number	Diff line number	Diff line change
`@@ -17,6 +17,7 @@ import (`
`17`	`17`	`dockerclient "github.com/docker/docker/client"`
`18`	`18`	`"github.com/docker/go-units"`
`19`	`19`	`"github.com/gluk-w/claworc/control-plane/internal/config"`
	`20`	`+ "github.com/gluk-w/claworc/control-plane/internal/logutil"`
`20`	`21`	`)`
`21`	`22`
`22`	`23`	`const (`
`@@ -156,7 +157,7 @@ func (d *DockerOrchestrator) CreateInstance(ctx context.Context, params CreatePa`
`156`	`157`	`Labels: map[string]string{"managed-by": labelManagedBy, "instance": params.Name},`
`157`	`158`	`})`
`158`	`159`	`if err != nil {`
`159`		`- log.Printf("Volume %s may already exist: %v", volName, err)`
	`160`	`+ log.Printf("Volume %s may already exist: %v", logutil.SanitizeForLog(volName), err)`
`160`	`161`	`}`
`161`	`162`	`}`
`162`	`163`
`@@ -316,14 +317,14 @@ func (d *DockerOrchestrator) DeleteInstance(ctx context.Context, name string) er`
`316`	`317`	`// Remove container`
`317`	`318`	`err := d.client.ContainerRemove(ctx, name, container.RemoveOptions{Force: true})`
`318`	`319`	`if err != nil && !dockerclient.IsErrNotFound(err) {`
`319`		`- log.Printf("Remove container %s: %v", name, err)`
	`320`	`+ log.Printf("Remove container %s: %v", logutil.SanitizeForLog(name), err)`
`320`	`321`	`}`
`321`	`322`
`322`	`323`	`// Remove volumes`
`323`	`324`	`for _, suffix := range volumeSuffixes {`
`324`	`325`	`volName := d.volumeName(name, suffix)`
`325`	`326`	`if err := d.client.VolumeRemove(ctx, volName, true); err != nil && !dockerclient.IsErrNotFound(err) {`
`326`		`- log.Printf("Remove volume %s: %v", volName, err)`
	`327`	`+ log.Printf("Remove volume %s: %v", logutil.SanitizeForLog(volName), err)`
`327`	`328`	`}`
`328`	`329`	`}`
`329`	`330`	`return nil`