fix: code scanning alert no. 175: Log Injection

.github/actions/docker/action.yml

@@ -66,6 +66,20 @@ runs:
  docker build . --target lyra-landing-page --tag lyra-landing-page:latest
  shell: bash
 
+ # Cache for Trivy
+ - name: Set up Trivy cache directory
+ run: |
+ mkdir -p ~/.cache/trivy
+ shell: bash
+
+ - name: Cache Trivy DB
+ uses: actions/cache@v4
+ with:
+ path: ~/.cache/trivy
+ key: ${{ runner.os }}-trivy-db
+ restore-keys: |
+ ${{ runner.os }}-trivy-db
+
  - name: Publish to GHCR 📦
  uses: ./.github/actions/docker/ghcr
  with:

.github/actions/docker/dockerhub/action.yml

@@ -47,12 +47,9 @@ runs:
  docker tag lyra-app:latest docker.io/${{ inputs.docker_hub_image }}-app:latest
  docker tag lyra-landing-page:latest docker.io/${{ inputs.docker_hub_image }}-landing-page:${{ inputs.version }}
  docker tag lyra-landing-page:latest docker.io/${{ inputs.docker_hub_image }}-landing-page:latest
- docker push docker.io/${{ inputs.docker_hub_image }}:${{ inputs.version }}
- docker push docker.io/${{ inputs.docker_hub_image }}:latest
- docker push docker.io/${{ inputs.docker_hub_image }}-app:${{ inputs.version }}
- docker push docker.io/${{ inputs.docker_hub_image }}-app:latest
- docker push docker.io/${{ inputs.docker_hub_image }}-landing-page:${{ inputs.version }}
- docker push docker.io/${{ inputs.docker_hub_image }}-landing-page:latest
+ docker push --all-tags docker.io/${{ inputs.docker_hub_image }}
+ docker push --all-tags docker.io/${{ inputs.docker_hub_image }}-app
+ docker push --all-tags docker.io/${{ inputs.docker_hub_image }}-landing-page
  shell: bash
 
  - name: Push non-production container image to Docker Hub ${{ inputs.non_prod_tag }}
@@ -64,7 +61,7 @@ runs:
  docker.io/${{ inputs.image_name }}-app:${{ inputs.non_prod_tag }}
  docker tag lyra-landing-page:latest \
  docker.io/${{ inputs.image_name }}-landing-page:${{ inputs.non_prod_tag }}
- docker push docker.io/${{ inputs.docker_hub_image }}:${{ inputs.non_prod_tag }}
- docker push docker.io/${{ inputs.image_name }}-app:${{ inputs.non_prod_tag }}
- docker push docker.io/${{ inputs.image_name }}-landing-page:${{ inputs.non_prod_tag }}
+ docker push --all-tags docker.io/${{ inputs.docker_hub_image }}
+ docker push --all-tags docker.io/${{ inputs.image_name }}-app
+ docker push --all-tags docker.io/${{ inputs.image_name }}-landing-page
  shell: bash

.github/actions/docker/ghcr/action.yml

@@ -25,6 +25,21 @@ inputs:
 runs:
  using: composite
  steps:
+ # Trivy cache setup
+ - name: Set up Trivy cache directory
+ run: |
+ mkdir -p ~/.cache/trivy
+ shell: bash
+
+ - name: Cache Trivy DB
+ uses: actions/cache@v4
+ with:
+ path: ~/.cache/trivy
+ key: ${{ runner.os }}-trivy-db
+ restore-keys: |
+ ${{ runner.os }}-trivy-db
+
+ # Vulnerability scanning
  - name: OCI image vulnerability scanning
  uses: aquasecurity/[email protected]
  with:
@@ -55,12 +70,9 @@ runs:
  docker tag lyra-app:latest ghcr.io/${{ inputs.image_name }}-app:latest
  docker tag lyra-landing-page:latest ghcr.io/${{ inputs.image_name }}-landing-page:${{ inputs.version }}
  docker tag lyra-landing-page:latest ghcr.io/${{ inputs.image_name }}-landing-page:latest
- docker push ghcr.io/${{ inputs.image_name }}:${{ inputs.version }}
- docker push ghcr.io/${{ inputs.image_name }}:latest
- docker push ghcr.io/${{ inputs.image_name }}-app:${{ inputs.version }}
- docker push ghcr.io/${{ inputs.image_name }}-app:latest
- docker push ghcr.io/${{ inputs.image_name }}-landing-page:${{ inputs.version }}
- docker push ghcr.io/${{ inputs.image_name }}-landing-page:latest
+ docker push --all-tags ghcr.io/${{ inputs.image_name }}
+ docker push --all-tags ghcr.io/${{ inputs.image_name }}-app
+ docker push --all-tags ghcr.io/${{ inputs.image_name }}-landing-page
  shell: bash
 
  - name: Push non-production container image to GHCR ${{ inputs.non_prod_tag }}
@@ -70,7 +82,7 @@ runs:
  ghcr.io/${{ inputs.image_name }}:${{ inputs.non_prod_tag }}
  docker tag lyra-app:latest ghcr.io/${{ inputs.image_name }}-app:${{ inputs.non_prod_tag }}
  docker tag lyra-landing-page:latest ghcr.io/${{ inputs.image_name }}-landing-page:${{ inputs.non_prod_tag }}
- docker push ghcr.io/${{ inputs.image_name }}:${{ inputs.non_prod_tag }}
- docker push ghcr.io/${{ inputs.image_name }}-app:${{ inputs.non_prod_tag }}
- docker push ghcr.io/${{ inputs.image_name }}-landing-page:${{ inputs.non_prod_tag }}
+ docker push --all-tags ghcr.io/${{ inputs.image_name }}
+ docker push --all-tags ghcr.io/${{ inputs.image_name }}-app
+ docker push --all-tags ghcr.io/${{ inputs.image_name }}-landing-page
  shell: bash

apps/backend/src/main/kotlin/com/lyra/app/users/infrastructure/http/request/RegisterUserRequest.kt

@@ -16,8 +16,8 @@ import jakarta.validation.constraints.Size
  * @property email The email of the user. It must not be blank, must be a valid email address,
  * and must be less than 255 characters.
  * @property password The password of the user. It must not be blank and must be between 8 and 100 characters.
- * @property firstname The firstname of the user. It must not be blank and must be between 3 and 100 characters.
- * @property lastname The lastname of the user. It must not be blank and must be between 3 and 100 characters.
+ * @property firstname The firstname of the user. It must not be blank and must be between 1 and 100 characters.
+ * @property lastname The lastname of the user. It must not be blank and must be between 1 and 100 characters.
  */
 data class RegisterUserRequest(
  @field:NotBlank(message = "Email cannot be blank")
@@ -28,10 +28,10 @@ data class RegisterUserRequest(
  @field:Size(min = 8, max = 100, message = "Password must be between 8 and 100 characters")
  val password: String,
  @field:NotBlank(message = "Firstname cannot be blank")
- @field:Size(min = 3, max = 100, message = "Firstname must be between 3 and 100 characters")
+ @field:Size(min = 1, max = 100, message = "Firstname must be between 3 and 100 characters")
  val firstname: String,
  @field:NotBlank(message = "Lastname cannot be blank")
- @field:Size(min = 3, max = 100, message = "Lastname must be between 3 and 100 characters")
+ @field:Size(min = 1, max = 100, message = "Lastname must be between 3 and 100 characters")
  val lastname: String
 ) {
  /**

apps/backend/src/main/kotlin/com/lyra/app/users/infrastructure/persistence/keycloak/KeycloakRepository.kt

@@ -30,7 +30,7 @@
  }
 
  override suspend fun create(user: User): User {
- log.info("Saving user with email: {}", user.email.value)
+ log.info("Saving user with email: {}", user.email.value.replace("\n", "").replace("\r", ""))
 
  val message = "Error creating user with email: ${user.email.value}"
 
@@ -51,8 +51,8 @@
  } else {
  log.debug(
  "Trying to create user with email: {} and username: {}",
- user.email.value,
- user.username.value,
+ user.email.value.replace("\n", "").replace("\r", ""),
+ user.username.value.replace("\n", "").replace("\r", ""),
  )
  val userRepresentation = getUserRepresentation(user, credentialRepresentation)
  userRepresentation.username = user.username.value
@@ -63,8 +63,8 @@
  } catch (exception: BusinessRuleValidationException) {
  log.error(
  "Error creating user with email: {} and username: {}",
- user.email.value,
- user.username.value,
+ user.email.value.replace("\n", "").replace("\r", ""),
+ user.username.value.replace("\n", "").replace("\r", ""),
  exception,
  )
  when (exception) {
@@ -74,7 +74,11 @@
  else -> throw UserStoreException(message, exception)
  }
  } catch (exception: ClientErrorException) {
- log.error("Error creating user with email: {}", user.email.value, exception)
+ log.error(
+ "Error creating user with email: {}",
+ user.email.value.replace("\n", "").replace("\r", ""),
+ exception,
+ )
  throw UserStoreException(message, exception)
  }
  }

apps/backend/src/test/kotlin/com/lyra/app/authentication/infrastructure/http/UserAuthenticatorControllerIntegrationTest.kt

@@ -27,7 +27,7 @@ private const val ERROR_CATEGORY = "AUTHENTICATION"
 
 @Suppress("MultilineRawStringIndentation")
 @AutoConfigureWebTestClient
-class UserAuthenticatorControllerIntegrationTest : InfrastructureTestContainers() {
+internal class UserAuthenticatorControllerIntegrationTest : InfrastructureTestContainers() {
  // this user is created by default in Keycloak container (see demo-realm-test.json)
  private val email = "[email protected]"
  private val username = "john.doe"
@@ -190,7 +190,7 @@ class UserAuthenticatorControllerIntegrationTest : InfrastructureTestContainers(
  .bodyValue(
  """
  {
- "username": "${user.email}",
+ "username": "${user.email.value}",
  "password": "$randomPassword"
  }
  """.trimIndent(),

apps/backend/src/test/kotlin/com/lyra/app/users/infrastructure/http/UserRegisterControllerIntegrationTest.kt

@@ -187,7 +187,7 @@ internal class UserRegisterControllerIntegrationTest : InfrastructureTestContain
  {
  "email": "${faker.internet().emailAddress()}",
  "password": "${Credential.generateRandomCredentialPassword()}",
- "firstname": "a",
+ "firstname": "",
  "lastname": "${faker.name().lastName()}"
  }
  """.trimIndent(),
@@ -213,7 +213,7 @@ internal class UserRegisterControllerIntegrationTest : InfrastructureTestContain
  "email": "${faker.internet().emailAddress()}",
  "password": "${Credential.generateRandomCredentialPassword()}",
  "firstname": "${faker.name().firstName()}",
- "lastname": "a"
+ "lastname": ""
  }
  """.trimIndent(),
  )