Skip to content

[sec] javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring — semgrep#9

Open
brokk-ccl wants to merge 1 commit into
mainfrom
brokk/sec-javascript-lang-security-audit-unsafe-format-ea81ca22
Open

[sec] javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring — semgrep#9
brokk-ccl wants to merge 1 commit into
mainfrom
brokk/sec-javascript-lang-security-audit-unsafe-format-ea81ca22

Conversation

@brokk-ccl

Copy link
Copy Markdown

Corrigir a issue de segurança unsafe-formatstring encontrada pelo scanner semgrep.

  • Regra: javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring
  • Severidade: low
  • Ocorrências: 1

Locais

  • examples/todo-node/index.ts:31

Detalhe do scanner

Detected string concatenation with a non-literal variable in a util.format / console.log function. If an attacker injects a format specifier in the string, it will forge the log message. Try to use constant values for the format string.

https://cwe.mitre.org/data/definitions/134.html

CWE-134: Use of Externally-Controlled Format String

Critério de aceite

Aplicar a correção em todos os locais acima. Depois do fix, um novo scan semgrep não deve mais reportar a regra javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring no alvo.

Despachado pelo Svalinn (remediação automática de segurança).

Verify: ❌ failed

verify output
Scope: all 6 workspace projects
✓ Lockfile passes supply-chain policies (verified 34s ago)
Progress: resolved 1, reused 0, downloaded 0, added 0
/home/brokk/work/worktrees/brokk__sec-javascript-lang-security-audit-unsafe-format-ea81ca22/panel:
[ERR_PNPM_FETCH_404] GET https://registry.npmjs.org/@cold-code-labs%2Fyggdrasil-brand: Not Found - 404

This error happened while installing a direct dependency of /home/brokk/work/worktrees/brokk__sec-javascript-lang-security-audit-unsafe-format-ea81ca22/panel

@cold-code-labs/yggdrasil-brand is not in the npm registry, or you have no permission to fetch it.

No authorization header was set for the request.


Command failed: pnpm install --no-frozen-lockfile --prod=false && pnpm -r typecheck

Acceptance (live): ❌ not met

acceptance check output
acceptance skipped: no supported runtime to boot (no supported runtime detected (and no detector available))

🔨 Forged by Brokk · task 5f517be1-2f83-497f-9244-6a91d96bc669

Use a constant format string with separate arguments instead of an
interpolated template literal in console.log. Resolves the semgrep
unsafe-formatstring finding dispatched by Svalinn.

Co-Authored-By: Brokk <noreply@coldcodelabs.com>
@valvesss valvesss force-pushed the brokk/sec-javascript-lang-security-audit-unsafe-format-ea81ca22 branch from af26dea to e4a8a5e Compare July 2, 2026 01:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant