🛡️ Sentinel: [HIGH] Fix Log Injection Vulnerability in Folder IDs

[abhimehro]

This PR addresses a potential Log Injection vulnerability where malicious folder IDs or PKs returned from the API could inject ANSI control codes into the terminal logs.
It applies sanitize_for_log() to these values before logging.

Also includes fixes for existing test failures in test_plan_details.py and test_push_rules_perf.py.

---

PR created automatically by Jules for task 3451835848787490124 started by @abhimehro

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[trunk-io]

😎 Merged manually by @abhimehro - details.

[github-actions]

👋 Development Partner is reviewing this PR. Will provide feedback shortly.

[gemini-code-assist]

Summary of Changes

Hello @abhimehro, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request primarily focuses on enhancing the security of the application by mitigating a log injection vulnerability. It ensures that sensitive identifiers like folder IDs and primary keys are properly sanitized before being written to logs, preventing potential malicious code execution or log manipulation. Additionally, it includes necessary updates to the test suite to fix previously failing tests, improving the overall stability and correctness of the project.

Highlights

• Security Fix: Addressed a log injection vulnerability by sanitizing folder IDs and primary keys (PKs) before logging them, preventing malicious ANSI control code injection into terminal logs.
• Test Stability: Resolved existing test failures in test_plan_details.py and test_push_rules_perf.py to ensure the reliability and correctness of the test suite.

Changelog

• main.py
  • Applied sanitize_for_log() to profile_id in check_api_access error logging.
  • Applied sanitize_for_log() to folder_id in delete_folder info and error logging.
  • Applied sanitize_for_log() to pk (primary key) in create_folder info logging for both direct and polled creation methods.
• tests/test_plan_details.py
  • Updated assertions for test_print_plan_details_no_colors to match exact output formatting, including whitespace, for folder details.
• tests/test_push_rules_perf.py
  • Imported importlib module.
  • Refactored setUp method to correctly handle the main module import and potential reloads, ensuring tests use the correct module instance.
  • Removed mock_as_completed from the test_push_rules_single_batch_optimization signature and logic, as it's not relevant when the thread pool is bypassed.
  • Added patch("main._api_post_form") context managers to test_push_rules_single_batch_optimization and test_push_rules_skips_validation_for_existing to mock the API call directly when the thread pool is not used.
  • Changed patch.object(main, "RULE_PATTERN") to patch.object(self.main, "RULE_PATTERN") in test_push_rules_skips_validation_for_existing to correctly reference the module instance.

Activity

• PR created automatically by Jules for task 3451835848787490124, initiated by @abhimehro.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[Copilot]

Pull request overview

This PR addresses a HIGH severity Log Injection vulnerability where malicious folder IDs or PKs returned from API responses could inject ANSI control codes or other control characters into terminal logs. The fix applies the existing sanitize_for_log() function to folder_id and pk values before logging them. Additionally, it includes fixes for pre-existing test failures in test_plan_details.py and test_push_rules_perf.py.

Changes:

• Apply sanitize_for_log() to all folder_id and PK values before logging in main.py
• Fix test assertions in test_plan_details.py to match the actual right-aligned output format
• Refactor test_push_rules_perf.py tests to properly mock _api_post_form and use instance variables

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File	Description
main.py	Applies sanitize_for_log() to folder_id and PK values in check_api_access(), delete_folder(), and create_folder() functions to prevent log injection attacks
tests/test_plan_details.py	Fixes test assertions to account for right-aligned spacing in folder rule count output
tests/test_push_rules_perf.py	Refactors tests to use instance variables, properly mock _api_post_form, and fix patching issues with reloaded modules

[gemini-code-assist]

Code Review

This pull request effectively addresses a log injection vulnerability by consistently applying sanitize_for_log() to folder IDs and profile IDs before they are logged. The changes in main.py are correct and target the potential injection points from user input and API responses. Additionally, the PR includes valuable fixes for test failures in test_plan_details.py and test_push_rules_perf.py, which improve the robustness and reliability of the test suite. The code is clean and the fixes are well-implemented. Great work!

[github-actions]

👋 Development Partner is reviewing this PR. Will provide feedback shortly.