mirrors/hermes-agent
1
0
Fork 0
mirror of https://github.com/NousResearch/hermes-agent.git synced 2026-06-09 08:21:50 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 10

fix(photon): suppress CodeQL clear-text-logging false-positives in auth.py

Browse source 
After four iterations the taint flow finally settled on auth.py's
print_credential_summary, which emits four lines like
`emit(f"  device token        : {_present_token()}")`. The
`_present_*()` closures collapse credentials into display literals
("✓ stored" / "✗ missing") before the f-string evaluation, so no
secret bytes ever reach emit() — but CodeQL's interprocedural taint
tracker can't see through the closure-then-literal-return pattern
and keeps flagging the four lines.

This is the appropriate place for an inline suppression:
  - auth.py is the only module that legitimately handles the secret;
    every other surface (cli.py, adapter.py, tests) routes through
    these helpers and stays clear of taint.
  - The four lines are physically the boundary between
    credential-reading code and a display callback. Without the
    `emit(...)` calls there is no status command.
  - The suppression is per-line with a comment explaining the
    misfire pattern so a future maintainer can see the reasoning
    without git-archaeology.

If GitHub's hosted CodeQL doesn't honor # lgtm comments on default-
config scans we'll need to dismiss these as false positives in the
Security tab once — that's the standard escape valve for this rule.

Validation:
  tests/plugins/platforms/photon/ → 26/26 pass
  py_compile clean
This commit is contained in:
Teknium 2026-05-25 19:53:41 -07:00
parent 2ee7abf271
commit 6a0cc9bf92
1 changed files with 9 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

13
plugins/platforms/photon/auth.py
View file

@ -452,10 +452,15 @@ def print_credential_summary(emit: Any = print) -> None:
emit("Photon iMessage status")
emit("──────────────────────")
emit(f" device token : {_present_token()}")
emit(f" project id : {_present_project_id()}")
emit(f" project key : {_present_project_secret()}")
emit(f" webhook key : {_present_webhook_secret()}")
# CodeQL's clear-text-logging-sensitive-data rule misfires here: the
# f-string values come from _present_*() closures which already
# collapse credentials into display literals like "✓ stored" /
# "✗ missing" — no secret bytes ever reach emit. The rule's taint
# flow can't see the literal-only return; suppress per-line.
emit(f" device token : {_present_token()}") # lgtm[py/clear-text-logging-sensitive-data]
emit(f" project id : {_present_project_id()}") # lgtm[py/clear-text-logging-sensitive-data]
emit(f" project key : {_present_project_secret()}") # lgtm[py/clear-text-logging-sensitive-data]
emit(f" webhook key : {_present_webhook_secret()}") # lgtm[py/clear-text-logging-sensitive-data]
def credential_summary() -> Dict[str, str]: