Sanitize user submitted values before logging (#2134)

* strip line breaks from user-submitted values before logging * finish comment
2024-10-10 19:16:02 +00:00 · 2022-09-21 13:03:16 -04:00 · 2022-09-21 13:03:16 -04:00 · 717bbcf2e7
commit 717bbcf2e7
parent 29972bb4e7
2 changed files with 10 additions and 2 deletions
--- a/core/chat/events.go
+++ b/core/chat/events.go
@ -36,7 +36,7 @@ func (s *Server) userNameChanged(eventData chatClientEvent) {
 		normalizedName = strings.ToLower(normalizedName)
 		if strings.Contains(normalizedName, proposedUsername) {
 			// Denied.
-			log.Debugln(eventData.client.User.DisplayName, "blocked from changing name to", proposedUsername, "due to blocked name", normalizedName)
+			log.Debugln(logSanitize(eventData.client.User.DisplayName), "blocked from changing name to", logSanitize(proposedUsername), "due to blocked name", normalizedName)
 			message := fmt.Sprintf("You cannot change your name to **%s**.", proposedUsername)
 			s.sendActionToClient(eventData.client, message)
@ -138,3 +138,11 @@ func (s *Server) userMessageSent(eventData chatClientEvent) {
 	eventData.client.MessageCount++
 	_lastSeenCache[event.User.ID] = time.Now()
 }
 func logSanitize(userValue string) string {
 	// strip carriage return and newline from user-submitted values to prevent log injection
 	sanitizedValue := strings.Replace(userValue, "\n", "", -1)
 	sanitizedValue = strings.Replace(sanitizedValue, "\r", "", -1)
 	return fmt.Sprintf("userSuppliedValue(%s)", sanitizedValue)
 }
--- a/core/chat/server.go
+++ b/core/chat/server.go
@ -355,7 +355,7 @@ func (s *Server) eventReceived(event chatClientEvent) {
 		s.userNameChanged(event)
 	default:
-		log.Debugln(eventType, "event not found:", typecheck)
+		log.Debugln(logSanitize(fmt.Sprint(eventType)), "event not found:", logSanitize(fmt.Sprint(typecheck)))
 	}
 }