SignalForge Node 2025.05.23#9
Merged
Merged
Conversation
## Summary\n\n- Adds a 1280x640 GitHub social preview image using the official SignalForge logo.\n- Keeps the SVG source beside the upload-ready PNG.\n\n## Notes\n\nGitHub repo cards use the Social preview image configured in repository settings; this asset is ready to upload there.
Replace ghcr.io/cptplastic/* image references with ghcr.io/signalforge-org/* in the README so documentation points to the new organization/container registry for server, client, and mock-call-sender images.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…m user-controlled sources (#6) Potential fix for [https://github.com/CptPlastic/signalforge-node/security/code-scanning/5](https://github.com/CptPlastic/signalforge-node/security/code-scanning/5) Use a strict allowlist-driven query assembly where `ORDER BY` fragments are selected from predefined constants, and avoid passing through raw request-derived strings into `fmt.Sprintf` SQL structure interpolation. Best fix in `server/internal/database/calls.go`: - Keep existing behavior (same supported sort fields and ASC/DESC handling). - Change sort normalization to return a **single safe ORDER BY clause constant** (for example `"datetime DESC"`, `"duration ASC"`, etc.) derived only from fixed internal strings. - Build final query with that clause, while continuing to parameterize `LIMIT/OFFSET` and all filters. - This preserves functionality and makes the SQL-construction safety explicit. No changes are required in `server/internal/api/calls.go` for functionality/security once DB-layer strict allowlisting is made explicit. _Suggested fixes powered by Copilot Autofix. Review carefully before merging._ Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
#8) …m user-controlled sources If a database query (such as an SQL or NoSQL query) is built from user-provided data without sufficient sanitization, a malicious user may be able to run commands that exfiltrate, tamper with, or destroy data stored in the database. # Pull Request ## Summary Describe what changed and why. ## Type Of Change - [x ] Bug fix - [ ] Documentation - [ ] Operator/deployment improvement - [ ] Recorder/client change - [ ] Server/API change - [ ] Database migration - [ ] Federation/trust change ## Checks - [x ] I ran relevant local checks. - [x ] I did not commit secrets, real `.env` files, database dumps, call audio, or local volumes. - [x ] I preserved the AGPL-3.0-or-later license terms. - [ x] I updated docs if behavior or operator setup changed. ## Sensitive Areas Does this touch auth, upload keys, federation trust, official/verified status, database migrations, public deployment defaults, or security policy? - [x ] No - [ ] Yes, and I explained the risk below Risk notes: ## Screenshots Add screenshots for visible UI changes. Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Removed deployment buttons for Railway and Render from README.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Sync from Dev
Type Of Change
Sensitive Areas
Does this touch auth, upload keys, federation trust, official/verified status, database migrations, public deployment defaults, or security policy?
Risk notes: There should be no one using this node code as of yet but if you are you need to REDEPLOY the whole stack to upgrade.
Screenshots
Add screenshots for visible UI changes.