Security — Zero Open CodeQL Alerts
This release resolves the final 4 remaining CodeQL code scanning alerts.
Fixes
- py/log-injection (1 alert): Removed integer argument from
logger.infocall inweb/api/documents.py— replaced with static message string - py/stack-trace-exposure (3 alerts): Applied explicit type casting (
str(),int(),float()) to all values in API response dicts inweb/api/documents.py(2 alerts) andweb/api/consolidation.py(1 alert), breaking the taint flow from user-supplied input to response data that CodeQL was tracking
Result
0 open CodeQL security alerts — complete remediation across all alert categories after a multi-release campaign:
| Release | Alerts Fixed |
|---|---|
| v10.17.3 | 21 (log injection, tarslip, stack-trace) |
| v10.17.6–7 | 200 (unused/repeated/cyclic imports) |
| v10.17.8 | 27 (clear-text logging, ReDoS, url-redirection) |
| v10.17.9–10 | 47 (log injection, clear-text logging, url-redirection) |
| v10.17.11–12 | 49 (file triplication, repeated-import, multiple-definition) |
| v10.17.13 | 4 (log-injection, stack-trace-exposure) |
Full Changelog: v10.17.12...v10.17.13