fix: resolve CodeQL security warnings

claude · claude · commit a2d2ce66674e · 2026-02-19T07:30:14.000Z
- Replace SHA-256 with scrypt for API key hashing in hash.util.ts and the HashApiKeys migration to use a computationally expensive KDF - Add explicit max batch size (1000) in telemetry service to prevent loop bound injection from unbounded user-controlled arrays - Remove API key snippet from validation error messages in openclaw-plugin config to prevent sensitive data leakage in logs - Add explicit `permissions: contents: read` to CI workflow to follow principle of least privilege https://claude.ai/code/session_012Y448H3mNA8HJsDRJtXvEC
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -9,6 +9,9 @@ on:
     branches: [main]
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   backend:
     runs-on: ubuntu-latest
diff --git a/packages/backend/src/common/utils/hash.util.spec.ts b/packages/backend/src/common/utils/hash.util.spec.ts
@@ -1,7 +1,7 @@
 import { sha256, keyPrefix } from './hash.util';
 
 describe('hash.util', () => {
-  describe('sha256', () => {
+  describe('sha256 (scrypt-based)', () => {
     it('returns a 64-character hex string', () => {
       const result = sha256('test-input');
       expect(result).toHaveLength(64);
@@ -15,13 +15,6 @@ describe('hash.util', () => {
     it('produces different output for different inputs', () => {
       expect(sha256('input-a')).not.toBe(sha256('input-b'));
     });
-
-    it('matches known SHA-256 digest', () => {
-      // echo -n "abc" | sha256sum
-      expect(sha256('abc')).toBe(
-        'ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad',
-      );
-    });
   });
 
   describe('keyPrefix', () => {
diff --git a/packages/backend/src/common/utils/hash.util.ts b/packages/backend/src/common/utils/hash.util.ts
@@ -1,7 +1,10 @@
-import { createHash } from 'crypto';
+import { scryptSync } from 'crypto';
+
+const HASH_SALT = 'manifest-api-key-salt';
+const KEY_LENGTH = 32;
 
 export function sha256(input: string): string {
-  return createHash('sha256').update(input).digest('hex');
+  return scryptSync(input, HASH_SALT, KEY_LENGTH).toString('hex');
 }
 
 export function keyPrefix(key: string): string {
diff --git a/packages/backend/src/database/migrations/1771500000000-HashApiKeys.ts b/packages/backend/src/database/migrations/1771500000000-HashApiKeys.ts
@@ -1,5 +1,8 @@
 import { MigrationInterface, QueryRunner } from 'typeorm';
-import { createHash } from 'crypto';
+import { scryptSync } from 'crypto';
+
+const HASH_SALT = 'manifest-api-key-salt';
+const KEY_LENGTH = 32;
 
 export class HashApiKeys1771500000000 implements MigrationInterface {
   name = 'HashApiKeys1771500000000';
@@ -53,7 +56,7 @@ export class HashApiKeys1771500000000 implements MigrationInterface {
       `SELECT id, key FROM "agent_api_keys" WHERE key IS NOT NULL AND key != ''`,
     );
     for (const row of agentKeys) {
-      const hash = createHash('sha256').update(row.key).digest('hex');
+      const hash = scryptSync(row.key, HASH_SALT, KEY_LENGTH).toString('hex');
       const prefix = row.key.substring(0, 12);
       await queryRunner.query(
         `UPDATE "agent_api_keys" SET key_hash = $1, key_prefix = $2 WHERE id = $3`,
@@ -65,7 +68,7 @@ export class HashApiKeys1771500000000 implements MigrationInterface {
       `SELECT id, key FROM "api_keys" WHERE key IS NOT NULL AND key != ''`,
     );
     for (const row of apiKeys) {
-      const hash = createHash('sha256').update(row.key).digest('hex');
+      const hash = scryptSync(row.key, HASH_SALT, KEY_LENGTH).toString('hex');
       const prefix = row.key.substring(0, 12);
       await queryRunner.query(
         `UPDATE "api_keys" SET key_hash = $1, key_prefix = $2 WHERE id = $3`,
diff --git a/packages/backend/src/telemetry/telemetry.service.ts b/packages/backend/src/telemetry/telemetry.service.ts
@@ -27,14 +27,17 @@ export class TelemetryService {
     private readonly pricingCache: ModelPricingCacheService,
   ) {}
 
+  private static readonly MAX_EVENTS_PER_BATCH = 1000;
+
   async ingest(events: TelemetryEventDto[], userId: string): Promise<IngestResult> {
+    const safeEvents = events.slice(0, TelemetryService.MAX_EVENTS_PER_BATCH);
     let accepted = 0;
     let rejected = 0;
     const errors: Array<{ index: number; reason: string }> = [];
 
-    for (let i = 0; i < events.length; i++) {
+    for (let i = 0; i < safeEvents.length; i++) {
       try {
-        await this.insertEvent(events[i], userId);
+        await this.insertEvent(safeEvents[i], userId);
         accepted++;
       } catch (err) {
         rejected++;
diff --git a/packages/openclaw-plugin/src/config.ts b/packages/openclaw-plugin/src/config.ts
@@ -65,7 +65,7 @@ export function validateConfig(config: ManifestConfig): string | null {
   }
   if (!config.apiKey.startsWith("mnfst_")) {
     return (
-      `Invalid apiKey format '${config.apiKey.slice(0, 8)}…'. ` +
+      "Invalid apiKey format. " +
       "Keys must start with 'mnfst_'. Fix it via:\n" +
       "  openclaw config set manifest.apiKey mnfst_YOUR_KEY"
     );

Original file line number	Diff line number	Diff line change
`@@ -65,7 +65,7 @@ export function validateConfig(config: ManifestConfig): string \| null {`
`65`	`65`	`}`
`66`	`66`	`if (!config.apiKey.startsWith("mnfst_")) {`
`67`	`67`	`return (`
`68`		- `Invalid apiKey format '${config.apiKey.slice(0, 8)}…'. ` +
	`68`	`+ "Invalid apiKey format. " +`
`69`	`69`	`"Keys must start with 'mnfst_'. Fix it via:\n" +`
`70`	`70`	`" openclaw config set manifest.apiKey mnfst_YOUR_KEY"`
`71`	`71`	`);`