Codecov Report

Merging #1171 (0d07bfb) into main (d2f1185) will increase coverage by 0.80%.
The diff coverage is n/a.

@@            Coverage Diff             @@
##             main    #1171      +/-   ##
==========================================
+ Coverage   61.89%   62.70%   +0.80%     
==========================================
  Files          23       23              
  Lines        1475     1488      +13     
==========================================
+ Hits          913      933      +20     
+ Misses        476      471       -5     
+ Partials       86       84       -2     

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update d2f1185...0d07bfb. Read the comment docs.

😩

Welp, this PR actually does escape the input as a "safe" go-string, which should not trigger CWE-117 (all non-text characters are escaped, including newlines etc.).
So even if this fixes the potential issue, it still does not clear the warning (and even introduces another warning since we are outputting the HTTP headers).

Soo, are we closing this, or are you still looking to continue at some point? The easIER solution here would probably be to just escape it and log it as-is.

Well, it is escaped (using %q). Not sure how we could escape it in a way that doesn't trigger the security rule. I think it's marginally better in this version, since it's clearly distinguished from an actual log message, but we could also just remove it all together.

I think I prefer the second option