fix(security): sanitise entry_id and actor in waitlist patch log (#442) (#137)

beenuar · Beenu Arora · web-flow · commit 9dbbc3c10894 · 2026-05-15T00:32:54.000+08:00
CodeQL py/log-injection alert #442 flagged the `logger.info` call in `patch_entry` because the `entry_id` path param (uuid.UUID) and `user.user_id` (also a UUID) flow into the log record's `extra` dict. The previous (`previous`) and next (`payload.status`) status fields were already sanitised inline in PR #136 to clear alerts #413 / #441, but CodeQL then surfaced #442 against the remaining two values. Both `entry_id` and `user.user_id` are typed as `uuid.UUID`, so their string form is always `[0-9a-f-]{36}` and cannot contain CR/LF. But CodeQL's taint tracker treats path params and auth-context values as user-controlled regardless of upstream validation, so the alert re-fired on the next scan. Apply the same inline `.replace("\r", "").replace("\n", " ")[:36]` sanitisation to `entry_id` and `user.user_id`, matching the pattern used for `previous` / `payload.status`. This silences the alert without weakening any existing guarantee. Co-authored-by: Beenu Arora <beenu@cyble.com>
diff --git a/services/api/app/api/v1/endpoints/waitlist.py b/services/api/app/api/v1/endpoints/waitlist.py
@@ -420,20 +420,29 @@ async def patch_entry(
             detail="Could not update waitlist entry.",
         ) from exc
 
-    # CodeQL py/log-injection: sanitise inline so the taint tracker
-    # sees the .replace() chain directly at the call site. Both values
-    # are also Pydantic-validated against ``ALLOWED_WAITLIST_STATUSES``
-    # so they can only ever be short safe identifiers, but the inline
-    # sanitisation makes the property explicit for static analysis.
+    # CodeQL py/log-injection: sanitise every value inline so the taint
+    # tracker sees the .replace() chain directly at the call site.
+    #
+    # - ``previous`` / ``payload.status`` are Pydantic-validated against
+    #   ``ALLOWED_WAITLIST_STATUSES`` (short identifiers, no CR/LF), and
+    # - ``entry_id`` / ``user.user_id`` are typed as ``uuid.UUID`` so the
+    #   string form is always ``[0-9a-f-]{36}``,
+    #
+    # but CodeQL's taint tracker treats path params and DB-derived
+    # strings as user-controlled regardless. Making the cleansing
+    # explicit at the call site silences the alert without weakening
+    # any existing guarantee.
     safe_previous = (previous or "").replace("\r", "").replace("\n", " ")[:32]
     safe_next = (payload.status or "").replace("\r", "").replace("\n", " ")[:32]
+    safe_entry_id = str(entry_id).replace("\r", "").replace("\n", " ")[:36]
+    safe_actor = str(user.user_id).replace("\r", "").replace("\n", " ")[:36]
     logger.info(
         "waitlist_status_transition",
         extra={
-            "entry_id": str(entry_id),
+            "entry_id": safe_entry_id,
             "previous": safe_previous,
             "next": safe_next,
-            "actor": str(user.user_id),
+            "actor": safe_actor,
         },
     )
     return _to_wire(row)
