Skip to content

Platform links#5666

Open
delchev wants to merge 4 commits intomasterfrom
platform-links
Open

Platform links#5666
delchev wants to merge 4 commits intomasterfrom
platform-links

Conversation

@delchev
Copy link
Contributor

@delchev delchev commented Feb 6, 2026

Fixes: #5665 - Platform links backend support

@delchev delchev requested a review from StanZGenchev February 6, 2026 21:09
github-advanced-security[bot]
github-advanced-security bot found potential problems Feb 6, 2026
View reviewed changes
...ry/src/main/java/org/eclipse/dirigible/components/registry/watcher/LocalRegistryWatcher.java
this.sourceDir = Paths.get(this.repository.getInternalResourcePath(IRepositoryStructure.PATH_REGISTRY_PUBLIC))
.toAbsolutePath();

logger.info("Initializing the Local Registry file watcher on [{}], ignoring {}...", sourceDir, this.ignoredFolders);

Check failure

Code scanning / CodeQL

Log Injection High

This log entry depends on a
user-provided value
Loading
.

Copilot Autofix

AI 2 days ago

To fix the problem, we should ensure that values derived from untrusted input are sanitized before being logged. The specific risky log is:

logger.info("Initializing the Local Registry file watcher on [{}], ignoring {}...", sourceDir, this.ignoredFolders);

where this.ignoredFolders originates from DirigibleConfig.REGISTRY_LOCAL_IGNORED_FOLDERS, which in turn can be set dynamically via Configuration.set(key, value) with user-provided data.

The best, least intrusive fix without changing behavior is to sanitize the ignored folder names when they are read, so that all uses (including logging) receive cleaned values. We can do this inside LocalRegistryWatcher.getIgnoredFolders() by stripping newline and carriage-return characters (and optionally other control characters) from each folder name before adding it to the set. This leaves the rest of the configuration mechanism unchanged and only normalizes this specific value, which is expected to be a list of folder names and should not legitimately contain such characters anyway.

Concretely, in components/core/core-registry/src/main/java/org/eclipse/dirigible/components/registry/watcher/LocalRegistryWatcher.java, we will change getIgnoredFolders() from:

String[] folders = ignoredFolders.split(",");
return Arrays.stream(folders)
             .map(String::trim)
             .collect(Collectors.toSet());

to something like:

String[] folders = ignoredFolders.split(",");
return Arrays.stream(folders)
             .map(String::trim)
             .map(LocalRegistryWatcher::sanitizeFolderName)
             .collect(Collectors.toSet());

and add a private static helper method sanitizeFolderName in the same class that removes \r and \n (and optionally any other control characters) from the string. No new external dependencies are needed; we can rely only on core String operations and character checks. The rest of the code remains unchanged, and logs will now include only sanitized folder names, eliminating the log injection vector.

Suggested changeset 1
components/core/core-registry/src/main/java/org/eclipse/dirigible/components/registry/watcher/LocalRegistryWatcher.java

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/components/core/core-registry/src/main/java/org/eclipse/dirigible/components/registry/watcher/LocalRegistryWatcher.java b/components/core/core-registry/src/main/java/org/eclipse/dirigible/components/registry/watcher/LocalRegistryWatcher.java
--- a/components/core/core-registry/src/main/java/org/eclipse/dirigible/components/registry/watcher/LocalRegistryWatcher.java
+++ b/components/core/core-registry/src/main/java/org/eclipse/dirigible/components/registry/watcher/LocalRegistryWatcher.java
@@ -142,11 +142,27 @@
         String[] folders = ignoredFolders.split(",");
         return Arrays.stream(folders)
                      .map(String::trim)
+                     .map(LocalRegistryWatcher::sanitizeFolderName)
                      .collect(Collectors.toSet());
 
     }
 
     /**
+     * Sanitizes a folder name loaded from configuration to prevent log injection.
+     *
+     * @param folderName the original folder name
+     * @return the sanitized folder name
+     */
+    private static String sanitizeFolderName(String folderName) {
+        if (folderName == null) {
+            return null;
+        }
+        // Remove carriage return and newline characters to prevent log forging
+        return folderName.replace("\r", "")
+                         .replace("\n", "");
+    }
+
+    /**
      * Perform initial sync of all files and folders.
      *
      * @throws IOException Signals that an I/O exception has occurred.
EOF
@@ -142,11 +142,27 @@
String[] folders = ignoredFolders.split(",");
return Arrays.stream(folders)
.map(String::trim)
.map(LocalRegistryWatcher::sanitizeFolderName)
.collect(Collectors.toSet());

}

/**
* Sanitizes a folder name loaded from configuration to prevent log injection.
*
* @param folderName the original folder name
* @return the sanitized folder name
*/
private static String sanitizeFolderName(String folderName) {
if (folderName == null) {
return null;
}
// Remove carriage return and newline characters to prevent log forging
return folderName.replace("\r", "")
.replace("\n", "");
}

/**
* Perform initial sync of all files and folders.
*
* @throws IOException Signals that an I/O exception has occurred.
Copilot is powered by AI and may make mistakes. Always verify output.
...main/java/org/eclipse/dirigible/components/registry/watcher/LocalRegistryWatcherHandler.java
*
* @param path the path
*/
public void directoryRegistered(Path path);

Check notice

Code scanning / CodeQL

Useless parameter Note

The parameter 'path' is never used.

Copilot Autofix

AI 2 days ago

Copilot could not generate an autofix suggestion

Copilot could not generate an autofix suggestion for this alert. Try pushing a new commit or if the problem persists contact support.

...main/java/org/eclipse/dirigible/components/registry/watcher/LocalRegistryWatcherHandler.java
*
* @param path the path
*/
public void directoryCreated(Path path);

Check notice

Code scanning / CodeQL

Useless parameter Note

The parameter 'path' is never used.

Copilot Autofix

AI 2 days ago

Copilot could not generate an autofix suggestion

Copilot could not generate an autofix suggestion for this alert. Try pushing a new commit or if the problem persists contact support.

...main/java/org/eclipse/dirigible/components/registry/watcher/LocalRegistryWatcherHandler.java
*
* @param path the path
*/
public void fileDeleted(Path path);

Check notice

Code scanning / CodeQL

Useless parameter Note

The parameter 'path' is never used.

Copilot Autofix

AI 2 days ago

Copilot could not generate an autofix suggestion

Copilot could not generate an autofix suggestion for this alert. Try pushing a new commit or if the problem persists contact support.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@StanZGenchev StanZGenchev Awaiting requested review from StanZGenchev

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Web] Platform links backend support

1 participant

@delchev