fix(rsc-demo): address remaining CodeQL format string alerts

ScriptedAlchemy · claude · ScriptedAlchemy · commit 74f73f81e801 · 2025-12-02T10:58:20.000-08:00
Use console.log/warn %s formatting instead of template literals to avoid format string injection with user-provided values. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
diff --git a/apps/rsc-demo/packages/app1/server/api.server.js b/apps/rsc-demo/packages/app1/server/api.server.js
@@ -100,8 +100,11 @@ async function forwardActionToRemote(
 ) {
   const targetUrl = `${remoteConfig.url}/react${req.url.includes('?') ? req.url.substring(req.url.indexOf('?')) : ''}`;
 
+  // Log federation forwarding (use %s to avoid format string injection)
   console.log(
-    `[Federation] Forwarding action ${forwardedActionId} to ${targetUrl}`
+    '[Federation] Forwarding action %s to %s',
+    forwardedActionId,
+    targetUrl
   );
 
   // Collect request body
@@ -504,9 +507,11 @@ app.post(
     if (!actionFn) {
       const remoteApp = getRemoteAppForAction(actionId);
       if (remoteApp) {
+        // Use %s to avoid format string injection
         console.log(
-          `[Federation] Action ${actionId} belongs to ${remoteApp.app}, ` +
-            'no MF-registered handler found, forwarding via HTTP...'
+          '[Federation] Action %s belongs to %s, no MF-registered handler found, forwarding via HTTP...',
+          actionId,
+          remoteApp.app
         );
         await forwardActionToRemote(
           req,
@@ -521,8 +526,10 @@ app.post(
     if (!actionFn && actionEntry) {
       // For bundled server actions, they should be in the registry
       // File-level actions are also bundled into server.rsc.js
+      // Use %s to avoid format string injection
       console.warn(
-        `Action ${actionId} not in registry, manifest entry:`,
+        'Action %s not in registry, manifest entry:',
+        actionId,
         actionEntry
       );
     }
diff --git a/apps/rsc-demo/packages/app2/server/api.server.js b/apps/rsc-demo/packages/app2/server/api.server.js
@@ -368,13 +368,18 @@ app.post(
           } = require('react-server-dom-webpack/server');
           registerServerReference(candidate, actionEntry.id, actionEntry.name);
           actionFn = candidate;
+          // Use %s to avoid format string injection
           console.warn(
-            `[RSC] Lazily registered action ${actionId} from ${filePath} after cache miss`
+            '[RSC] Lazily registered action %s from %s after cache miss',
+            actionId,
+            filePath
           );
         }
       } catch (e) {
+        // Use %s to avoid format string injection
         console.warn(
-          `[RSC] Failed lazy-register for action ${actionId}:`,
+          '[RSC] Failed lazy-register for action %s:',
+          actionId,
           e.message
         );
       }
