fix(security): resolve CodeQL code alerts

Resolves CodeQL alert(s): #320, #321, #322, #324, #325
CWE: CWE-117 (log injection), empty password in config

Author: cl-efornaciari

.helm-repositories.yaml

@@ -7,24 +7,18 @@ repositories:
     keyFile: ''
     name: bitnami
     pass_credentials_all: false
-    password: ''
     url: https://charts.bitnami.com/bitnami
-    username: ''
   - caFile: ''
     certFile: ''
     insecure_skip_tls_verify: false
     keyFile: ''
     name: chainlink-qa
     pass_credentials_all: false
-    password: ''
     url: https://raw.githubusercontent.com/smartcontractkit/qa-charts/gh-pages/
-    username: ''
   - caFile: ''
     certFile: ''
     insecure_skip_tls_verify: false
     keyFile: ''
     name: grafana
     pass_credentials_all: false
-    password: ''
     url: https://grafana.github.io/helm-charts
-    username: ''

ops/localenv/main.go

@@ -66,6 +66,14 @@ func main() {
 	}
 }
 
+// sanitizeForOutput escapes newlines/carriage returns to prevent log injection (CWE-117).
+func sanitizeForOutput(s string) string {
+	s = strings.ReplaceAll(s, "\\", "\\\\")
+	s = strings.ReplaceAll(s, "\r", "\\r")
+	s = strings.ReplaceAll(s, "\n", "\\n")
+	return s
+}
+
 func setEnvIfNotExists(key, defaultValue string) {
 	value := os.Getenv(key)
 	if value == "" {
@@ -98,7 +106,7 @@ func run(name string, f string, args ...string) {
 				wg.Done()
 				break
 			}
-			fmt.Print(string(p[:n]))
+			fmt.Print(sanitizeForOutput(string(p[:n])))
 		}
 	}()
 	go func() {
@@ -109,7 +117,7 @@ func run(name string, f string, args ...string) {
 				wg.Done()
 				break
 			}
-			fmt.Print(string(p[:n]))
+			fmt.Print(sanitizeForOutput(string(p[:n])))
 		}
 	}()