From 717bbcf2e7bc68bf062668f56dc899a0751f2769 Mon Sep 17 00:00:00 2001
From: Matt Owens <matt@brokenintuition.com>
Date: Wed, 21 Sep 2022 13:03:16 -0400
Subject: [PATCH] Sanitize user submitted values before logging (#2134)

* strip line breaks from user-submitted values before logging

* finish comment
---
 core/chat/events.go | 10 +++++++++-
 core/chat/server.go |  2 +-
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/core/chat/events.go b/core/chat/events.go
index 6ea148248..5213eba64 100644
--- a/core/chat/events.go
+++ b/core/chat/events.go
@@ -36,7 +36,7 @@ func (s *Server) userNameChanged(eventData chatClientEvent) {
 		normalizedName = strings.ToLower(normalizedName)
 		if strings.Contains(normalizedName, proposedUsername) {
 			// Denied.
-			log.Debugln(eventData.client.User.DisplayName, "blocked from changing name to", proposedUsername, "due to blocked name", normalizedName)
+			log.Debugln(logSanitize(eventData.client.User.DisplayName), "blocked from changing name to", logSanitize(proposedUsername), "due to blocked name", normalizedName)
 			message := fmt.Sprintf("You cannot change your name to **%s**.", proposedUsername)
 			s.sendActionToClient(eventData.client, message)
 
@@ -138,3 +138,11 @@ func (s *Server) userMessageSent(eventData chatClientEvent) {
 	eventData.client.MessageCount++
 	_lastSeenCache[event.User.ID] = time.Now()
 }
+
+func logSanitize(userValue string) string {
+	// strip carriage return and newline from user-submitted values to prevent log injection
+	sanitizedValue := strings.Replace(userValue, "\n", "", -1)
+	sanitizedValue = strings.Replace(sanitizedValue, "\r", "", -1)
+
+	return fmt.Sprintf("userSuppliedValue(%s)", sanitizedValue)
+}
diff --git a/core/chat/server.go b/core/chat/server.go
index ac22864dd..02c1c318b 100644
--- a/core/chat/server.go
+++ b/core/chat/server.go
@@ -355,7 +355,7 @@ func (s *Server) eventReceived(event chatClientEvent) {
 		s.userNameChanged(event)
 
 	default:
-		log.Debugln(eventType, "event not found:", typecheck)
+		log.Debugln(logSanitize(fmt.Sprint(eventType)), "event not found:", logSanitize(fmt.Sprint(typecheck)))
 	}
 }