From d8ed1cdf3774ae93ed9317b52942a7f627158941 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Wed, 5 Nov 2025 20:53:28 +0000 Subject: [PATCH 1/2] Security Fix: Prevent clear-text logging of sensitive information MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This commit addresses CodeQL security alert #34 by removing detailed error messages from workflow compilation failures that could potentially expose sensitive information from secret configurations. **Alert Details:** - Alert Number: #34 - Severity: High - Rule: go/clear-text-logging - CWE: CWE-312, CWE-315, CWE-359 **Changes Made:** - Modified pkg/cli/mcp_add.go line 147-149 to log generic error message - Removed direct inclusion of error details in console output - Error details are no longer passed through fmt.Sprintf which could leak sensitive data from the compilation process **Security Impact:** - Prevents potential exposure of secret values or sensitive configuration data in compilation error messages - Maintains user experience by still informing them of compilation failure - Users can still run 'gh aw compile --verbose' for detailed debugging **Testing:** - The fix maintains existing functionality - Generic error message provides sufficient information for users - Sensitive data no longer flows from secrets to logging output 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude --- pkg/cli/mcp_add.go | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/pkg/cli/mcp_add.go b/pkg/cli/mcp_add.go index b8a77f824a..0c252d6f80 100644 --- a/pkg/cli/mcp_add.go +++ b/pkg/cli/mcp_add.go @@ -144,8 +144,9 @@ func AddMCPTool(workflowFile string, mcpServerID string, registryURL string, tra mcpAddLog.Print("Compiling workflow after adding MCP tool") compiler := workflow.NewCompiler(verbose, "", "") if err := compiler.CompileWorkflow(workflowPath); err != nil { - mcpAddLog.Printf("Workflow compilation failed: %v", err) - fmt.Println(console.FormatWarningMessage(fmt.Sprintf("Workflow compilation failed: %v", err))) + // Log generic error message to avoid exposing sensitive information + mcpAddLog.Print("Workflow compilation failed") + fmt.Println(console.FormatWarningMessage("Workflow compilation failed. Please check your workflow configuration.")) fmt.Println(console.FormatInfoMessage("You can fix the issues and run 'gh aw compile' manually")) } else { mcpAddLog.Print("Workflow compiled successfully") From 7c7cb758b20cd209ba5e17e1ddec3fd991e52644 Mon Sep 17 00:00:00 2001 From: Copilot <198982749+Copilot@users.noreply.github.com> Date: Wed, 5 Nov 2025 13:15:11 -0800 Subject: [PATCH 2/2] Restore compiler error display in mcp add command (#3273) * Initial plan * Show compiler errors to users in mcp add command Restored display of compilation error messages in pkg/cli/mcp_add.go. The previous security fix was overly broad - compilation errors from CompileWorkflow() are already formatted for user display and don't contain sensitive information. These errors help users fix syntax and validation issues in their workflow files. The error is now printed to stderr as intended, while debug logs still capture the error details for troubleshooting. Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- pkg/cli/mcp_add.go | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/pkg/cli/mcp_add.go b/pkg/cli/mcp_add.go index 0c252d6f80..4639b3eb0d 100644 --- a/pkg/cli/mcp_add.go +++ b/pkg/cli/mcp_add.go @@ -144,9 +144,8 @@ func AddMCPTool(workflowFile string, mcpServerID string, registryURL string, tra mcpAddLog.Print("Compiling workflow after adding MCP tool") compiler := workflow.NewCompiler(verbose, "", "") if err := compiler.CompileWorkflow(workflowPath); err != nil { - // Log generic error message to avoid exposing sensitive information - mcpAddLog.Print("Workflow compilation failed") - fmt.Println(console.FormatWarningMessage("Workflow compilation failed. Please check your workflow configuration.")) + mcpAddLog.Printf("Workflow compilation failed: %v", err) + fmt.Fprintln(os.Stderr, err) fmt.Println(console.FormatInfoMessage("You can fix the issues and run 'gh aw compile' manually")) } else { mcpAddLog.Print("Workflow compiled successfully")