fix(security): redact at source and cap marshal sizes for CodeQL

CodeQL kept flagging the merge logger because taint flowed Password -> ClientMergeConflict.Old -> log even with a runtime redact helper -- the analyzer can't prove the branch excludes credentials. Redact at the source instead: uuid/password/auth/subId now only ever land in the conflict struct as <redacted> placeholders, so no caller (log or otherwise) can leak them. For the ClientWithAttachments marshal overflow alert, replace the MaxInt-len() arithmetic with explicit per-input size caps (256MB each), which is the pattern CodeQL's own docs recommend and recognizes.
2026-05-26 07:08:01 +00:00 · 2026-05-19 12:48:01 +02:00
parent 788c979ad1
commit b36e5e0869
3 changed files with 11 additions and 25 deletions
--- a/web/service/client.go
+++ b/web/service/client.go
@@ -6,7 +6,6 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
-	"math"
 	"strings"
 	"sync"
 	"time"
@@ -48,7 +47,8 @@ func (c ClientWithAttachments) MarshalJSON() ([]byte, error) {
 	if len(rec) < 2 || rec[len(rec)-1] != '}' || len(extra) <= 2 {
 		return rec, nil
 	}
-	if len(extra) > math.MaxInt-len(rec) {
+	const maxMarshalSize = 256 << 20
+	if len(rec) > maxMarshalSize || len(extra) > maxMarshalSize {
 		return rec, nil
 	}
 	out := make([]byte, 0, len(rec)+len(extra))