fix(ci): resolve SonarCloud B security rating on new code#66
Conversation
Remove username and stream_id from log messages that SonarCloud flags as new-code security vulnerabilities, and finish migrating leftover test CSRF setup to configure_testing_app(). Co-authored-by: Alexander Wagner <info@alexanderwagnerdev.com>
Bugbot couldn't run - usage limit reachedBugbot is counted against Cursor usage for this user or team, and this run hit a usage or spend limit. A user or team admin can review and increase usage limits in the Cursor dashboard. (requestId: serverGenReqId_3ba85cfc-e90d-424d-a159-6e28bf134a92) |
PR Summary by QodoFix SonarCloud S5145 by removing user-controlled data from logs
AI Description
Diagram
High-Level Assessment
Files changed (4)
|
Code Review by Qodo
Context used✅ Compliance rules (platform):
6 rules✅ Cross-repo context Not relevant to this PR:
OpenRTMP/librtmp2-server 1.
|
|
@codex review |
|
Codex Review: Didn't find any major issues. Chef's kiss. Reviewed commit: ℹ️ About Codex in GitHubYour team has set up Codex to review pull requests in this repo. Reviews are triggered when you
If Codex has suggestions, it will comment; otherwise it will react with 👍. Codex can also answer questions or update the PR. Try commenting "@codex address that feedback". |
…ble tag The SonarCloud S5145 fix dropped stream_id entirely from the delete-failure warning, regressing the ops correlation PR #57 added. Log a short SHA-256 prefix of stream_id instead: it lets ops match a failure to a stream without putting the raw user-controlled value back in the log.
Bugbot couldn't run - usage limit reachedBugbot is counted against Cursor usage for this user or team, and this run hit a usage or spend limit. A user or team admin can review and increase usage limits in the Cursor dashboard. (requestId: serverGenReqId_0b42f9ee-81d4-4711-95bb-49596255c153) |
|
Code review by qodo was updated up to the latest commit ff98760 |
An unkeyed SHA-256 prefix of stream_id is deterministic and recomputable, so anyone with log access could deanonymize low-entropy/user-chosen stream IDs by brute-forcing candidates (caught in review). Key it with SECRET_KEY via HMAC so the tag is useless without a secret only the server holds.
Bugbot couldn't run - usage limit reachedBugbot is counted against Cursor usage for this user or team, and this run hit a usage or spend limit. A user or team admin can review and increase usage limits in the Cursor dashboard. (requestId: serverGenReqId_be26c6ac-86a4-41af-8627-d713ba7b3a5b) |
|
|
Code review by qodo was updated up to the latest commit e48f568 |



Summary
SonarCloud failed the quality gate on
mainwith B Security Rating on New Code (required ≥ A) due to twopythonsecurity:S5145findings that log user-controlled request data.Changes
usernameand deletestream_idinapp.py; keep exception context vialogger.exception()/ error-only messages.test_delete_runtime.pyexpectations for the revised delete-failure log line.WTF_CSRF_ENABLED = Falsetest setups toconfigure_testing_app().Verification
python -m pytest -m "not integration"— 99 passedNeed help on this PR? Tag
/codesmithwith what you need. Autofix is disabled.Note
Low Risk
Logging-only hardening with no auth or API behavior changes; delete failures still surface the API error to the user via flash messages.
Overview
Addresses SonarCloud
pythonsecurity:S5145by removing user-controlled values from application logs while keeping enough context for operations.On login, when the session backend is unavailable, logging no longer includes the submitted username; it uses
logger.exception()with a fixed message so stack traces are still captured.On delete stream failures, the raw
stream_idis replaced with a 12-characterstream_tagderived from HMAC-SHA256(SECRET_KEY, stream_id) so ops can correlate log lines without writing attacker-controlled IDs to logs or using a guessable unkeyed hash.Tests assert the new delete-failure log format and two remaining inline test setups now call
configure_testing_app()instead of duplicating CSRF/test flags.Reviewed by Cursor Bugbot for commit e48f568. Bugbot is set up for automated code reviews on this repo. Configure here.