Sanitize user submitted values before logging (#2134)

* strip line breaks from user-submitted values before logging * finish comment
3 years ago · 717bbcf2e7
2 changed files with 10 additions and 2 deletions
--- a/core/chat/events.go
+++ b/core/chat/events.go
@ -36,7 +36,7 @@ func (s *Server) userNameChanged(eventData chatClientEvent) {
				@@ -36,7 +36,7 @@ func (s *Server) userNameChanged(eventData chatClientEvent) {
 		normalizedName = strings.ToLower(normalizedName)
 		if strings.Contains(normalizedName, proposedUsername) {
 			// Denied.
-			log.Debugln(eventData.client.User.DisplayName, "blocked from changing name to", proposedUsername, "due to blocked name", normalizedName)
+			log.Debugln(logSanitize(eventData.client.User.DisplayName), "blocked from changing name to", logSanitize(proposedUsername), "due to blocked name", normalizedName)
 			message := fmt.Sprintf("You cannot change your name to **%s**.", proposedUsername)
 			s.sendActionToClient(eventData.client, message)

@ -138,3 +138,11 @@ func (s *Server) userMessageSent(eventData chatClientEvent) {
				@@ -138,3 +138,11 @@ func (s *Server) userMessageSent(eventData chatClientEvent) {
 	eventData.client.MessageCount++
 	_lastSeenCache[event.User.ID] = time.Now()
 }
+
+func logSanitize(userValue string) string {
+	// strip carriage return and newline from user-submitted values to prevent log injection
+	sanitizedValue := strings.Replace(userValue, "\n", "", -1)
+	sanitizedValue = strings.Replace(sanitizedValue, "\r", "", -1)
+
+	return fmt.Sprintf("userSuppliedValue(%s)", sanitizedValue)
+}
--- a/core/chat/server.go
+++ b/core/chat/server.go
@ -355,7 +355,7 @@ func (s *Server) eventReceived(event chatClientEvent) {
				@@ -355,7 +355,7 @@ func (s *Server) eventReceived(event chatClientEvent) {
 		s.userNameChanged(event)

 	default:
-		log.Debugln(eventType, "event not found:", typecheck)
+		log.Debugln(logSanitize(fmt.Sprint(eventType)), "event not found:", logSanitize(fmt.Sprint(typecheck)))
 	}
 }