rocketadmin icon indicating copy to clipboard operation
rocketadmin copied to clipboard
verified publisher icon rocket-admin

Potential fix for code scanning alert no. 30: Use of externally-controlled format string

Open gugu opened this issue 5 months ago • 0 comments

Potential fix for https://github.com/rocket-admin/rocketadmin/security/code-scanning/30

To fix the problem, we should avoid directly interpolating untrusted data into the format string of logging functions. Instead, use a static format string and pass the untrusted data as a separate argument. Specifically, in console.error, replace `Error deleting row in table ${tableName}:` with "Error deleting row in table: %s" and pass tableName as an argument. This ensures that any format specifiers in tableName are not interpreted by the logging function, and the output remains as intended.

Edit the file shared-code/src/data-access-layer/data-access-objects/data-access-object-oracle.ts at line 151, replacing the vulnerable log statement with a safe one.

No new imports or definitions are required.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

gugu avatar Aug 05 '25 15:08 gugu