Skip to content

WIP: 1/26 sprint #171

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
runleveldev wants to merge 27 commits into
base: main
Choose a base branch
from
Draft

WIP: 1/26 sprint #171

runleveldev wants to merge 27 commits into from

Conversation

@runleveldev
Copy link
Collaborator

@runleveldev runleveldev commented Jan 26, 2026

No description provided.

@runleveldev runleveldev force-pushed the sprint branch 2 times, most recently from ef62632 to bb1367f Compare January 26, 2026 20:19
@runleveldev runleveldev force-pushed the sprint branch 4 times, most recently from 3e09a13 to 5b3c70e Compare January 27, 2026 20:24
@runleveldev runleveldev force-pushed the sprint branch 4 times, most recently from 9010bc8 to 6de7ebe Compare January 27, 2026 22:21
@runleveldev runleveldev force-pushed the sprint branch 2 times, most recently from 130e81b to 169fc50 Compare January 28, 2026 20:25
github-advanced-security[bot]
github-advanced-security bot found potential problems Jan 29, 2026
View reviewed changes
create-a-container/routers/volumes.js
await client.updateLxcConfig(node.name, node.placeholderCtId, {
[nextMp]: `${proxmoxVolume},mp=${placeholderMountPath}`
});
console.log(`Attached volume to placeholder at ${nextMp} with mount path ${placeholderMountPath}`);

Check failure

Code scanning / CodeQL

Clear-text logging of sensitive information High

This logs sensitive data returned by
an access to apiKeys
Loading
as clear text.

Copilot Autofix

AI about 15 hours ago

In general, the problem is that sensitive or user-derived information (req.session.user included in placeholderMountPath) is being logged in clear text. To fix this without changing existing functionality, we should avoid logging the sensitive portion while still retaining useful operational information. That means either removing placeholderMountPath from the log message or replacing it with a non-sensitive surrogate (e.g., just the mount point key nextMp or a static description).

The best minimal fix is to adjust the console.log on line 155 in create-a-container/routers/volumes.js so that it does not include placeholderMountPath. We can still log that the attachment succeeded and possibly which Proxmox volume and mount point index were used, which is sufficient for debugging without disclosing user-specific paths. No additional imports or helpers are required; we only change the log string.

Concretely:

  • In create-a-container/routers/volumes.js, locate the console.log at line 155.
  • Replace the message template so it omits placeholderMountPath, e.g., console.log(\Attached volume to placeholder at ${nextMp}`);` or a similarly informative but non-sensitive message.
  • Leave all other code, including construction and use of placeholderMountPath, unchanged so functionality is preserved.
Suggested changeset 1
create-a-container/routers/volumes.js

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/create-a-container/routers/volumes.js b/create-a-container/routers/volumes.js
--- a/create-a-container/routers/volumes.js
+++ b/create-a-container/routers/volumes.js
@@ -152,7 +152,7 @@
       [nextMp]: `${proxmoxVolume},mp=${placeholderMountPath}`
     });
     await client.updateLxcConfig(node.name, node.placeholderCtId, { protection: 1 });
-    console.log(`Attached volume to placeholder at ${nextMp} with mount path ${placeholderMountPath}`);
+    console.log(`Attached volume ${proxmoxVolume} to placeholder at mount point ${nextMp}`);
 
     // Create database record
     await Volume.create({
EOF
@@ -152,7 +152,7 @@
[nextMp]: `${proxmoxVolume},mp=${placeholderMountPath}`
});
await client.updateLxcConfig(node.name, node.placeholderCtId, { protection: 1 });
console.log(`Attached volume to placeholder at ${nextMp} with mount path ${placeholderMountPath}`);
console.log(`Attached volume ${proxmoxVolume} to placeholder at mount point ${nextMp}`);

// Create database record
await Volume.create({
Copilot is powered by AI and may make mistakes. Always verify output.
@runleveldev runleveldev force-pushed the sprint branch 11 times, most recently from 85300f0 to 10ff000 Compare January 29, 2026 18:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@runleveldev