Skip to content

fix(web): resolve false-positive js/insufficient-password-hash CodeQL alert#1435

Draft
linear-code[bot] wants to merge 2 commits into
mainfrom
linear/sou-1495-sourcebot-devsourcebot-codeqljsinsufficient-password-b433
Draft

fix(web): resolve false-positive js/insufficient-password-hash CodeQL alert#1435
linear-code[bot] wants to merge 2 commits into
mainfrom
linear/sou-1495-sourcebot-devsourcebot-codeqljsinsufficient-password-b433

Conversation

@linear-code

@linear-code linear-code Bot commented Jul 11, 2026

Copy link
Copy Markdown
Contributor

Fixes SOU-1495

CodeQL's sensitive-data heuristic classifies any identifier containing oauth as a password. As a result, requestedOAuthScopes flowing into createHash('sha256') in getMcpListToolsCacheKey tripped js/insufficient-password-hash (HIGH). This is a false positive: the OAuth scope strings are not secret, and the hash was only used to build a per-scope segment of the Redis cache key for MCP tool-list results.

Rather than suppress the alert (GitHub's default CodeQL setup doesn't honor inline suppression comments), this removes the cryptographic operation entirely. The scope segment is now derived by base64url-encoding the normalized (deduped, sorted) scope list, which is deterministic, collision-free, and delimiter-safe (: is the cache-key delimiter). Since it's no longer a CryptographicOperation, the rule can't fire regardless of the misclassification.

Existing mcpToolSets tests pass; they assert the cache-key prefix and don't depend on the scope segment's exact value.

linear-code Bot added 2 commits July 11, 2026 13:44
… cache key

CodeQL's sensitive-data heuristic classifies any identifier containing
"oauth" as a password, so the requested OAuth scopes flowing into
createHash('sha256') tripped js/insufficient-password-hash. These scopes
are not secret; the hash only produced a cache-key segment. Replace it
with a base64url encoding of the normalized scope list, which is
deterministic, delimiter-safe, and not a cryptographic operation.

Generated with [Linear](https://linear.app/sourcebot/issue/SOU-1495/sourcebot-devsourcebot-codeqljsinsufficient-password-hash-high#agent-session-424c6dc8)

Co-authored-by: linear-code[bot] <222613912+linear-code[bot]@users.noreply.github.com>
Generated with [Linear](https://linear.app/sourcebot/issue/SOU-1495/sourcebot-devsourcebot-codeqljsinsufficient-password-hash-high#agent-session-424c6dc8)

Co-authored-by: linear-code[bot] <222613912+linear-code[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants