Skip to content

배포#25

Merged
chungjeongsu merged 6 commits into
mainfrom
develop
Apr 7, 2026
Merged

배포#25
chungjeongsu merged 6 commits into
mainfrom
develop

Conversation

@chungjeongsu

Copy link
Copy Markdown
Contributor

No description provided.

@chungjeongsu chungjeongsu merged commit 6e6cb9a into main Apr 7, 2026
3 checks passed

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request transitions the extraction of travelItineraryId from query parameters to the token payload within SecondaryTokenAuthenticator.js, while also introducing extensive logging for WebSocket lifecycle events in TravelDocWebSocketServer.js. Feedback was provided regarding a potential sensitive data exposure in the URL sanitization logic, where a fallback is needed to ensure tokens are redacted even if URL parsing fails.

Comment on lines +283 to +285
} catch {
return req.url ?? "/";
}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

security-medium medium

The catch block in sanitizeRequestUrl returns the original req.url if parsing fails. If the URL contains a sensitive secondaryToken and the parser throws an error (e.g., due to a malformed host header or an invalid URL structure), the unredacted token will be logged. It is safer to return a generic string or perform a basic string replacement as a fallback to prevent sensitive data exposure in logs.

Suggested change
} catch {
return req.url ?? "/";
}
} catch {
return (req.url ?? "/").replace(/secondaryToken=[^&]*/g, "secondaryToken=[redacted]");
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants