What's Changed
Security Fixes (Critical)
- py/log-injection (34 alerts): Added
_sanitize_log_value()helper across 15 files. All user-provided values are stripped of newlines and ANSI escape codes before log inclusion, preventing log forging attacks (CWE-117). - py/tarslip (1 alert): Added path-traversal prevention (
_safe_tar_extract()) in ONNX embedding model downloads (CWE-22). - py/stack-trace-exposure (2 alerts): HTTP 500 responses no longer expose internal exception details. Generic messages returned to clients; tracebacks logged internally.
Code Quality Fixes
- py/unused-import (22 alerts): Removed dead imports across 15 files
- py/unused-local-variable (22 alerts): Removed dead assignments across 13 files
- py/call/wrong-named-argument (7 alerts): Fixed
_DummyFastMCP.tool()signature - py/mixed-returns (3 alerts): Added explicit return values in 3 files
- py/mixed-tuple-returns (1 alert): Made
sync_single_memory()returns consistently 3-tuples - py/inheritance/signature-mismatch (2 alerts): Fixed
ConsolidationBase.process()abstract method - py/multiple-definition (2 alerts): Removed duplicate method and dead variable
- py/comparison-of-identical-expressions (1 alert): Replaced
x != xwithmath.isnan(x) - py/undefined-export (1 alert): Fixed
__all__in OAuth storage__init__.py - py/unused-global-variable (1 alert): Removed unused
consolidatormodule global - py/uninitialized-local-variable (1 alert): Added
score = 0.5initialization
Total: 100 CodeQL alerts resolved across 40 files. No functional changes.
Full Changelog: v10.17.6...v10.17.7