From f09d61fe93c55b81cc2999d5771c09e2b996c495 Mon Sep 17 00:00:00 2001 From: githubofkrishnadhas Date: Sat, 12 Apr 2025 22:55:51 +0530 Subject: [PATCH 1/3] If unsanitized user input is written to a log entry, a malicious user may be able to forge new log entries. --- app/quickapi.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/app/quickapi.py b/app/quickapi.py index 875a312..c341212 100644 --- a/app/quickapi.py +++ b/app/quickapi.py @@ -40,7 +40,8 @@ async def create_item(item: UserColorEntry): """Create an item with a username and users favourite colour and return it.""" user_colour.append(item) print(user_colour) - logger.info(item) + # Sanitize log message to prevent log injection + logger.info("New user-color entry added: username=%s, color=%s", item.username, item.color) return item # List all user_colour mappings From 1b85abb4aa74d7a18ae62c8962eb1e8993daa8d9 Mon Sep 17 00:00:00 2001 From: Krishnadhas N K <108367225+githubofkrishnadhas@users.noreply.github.com> Date: Sun, 13 Apr 2025 00:56:51 +0530 Subject: [PATCH 2/3] Potential fix for code scanning alert no. 3: Log Injection Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- app/quickapi.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/app/quickapi.py b/app/quickapi.py index c341212..ff26fb7 100644 --- a/app/quickapi.py +++ b/app/quickapi.py @@ -41,7 +41,9 @@ async def create_item(item: UserColorEntry): user_colour.append(item) print(user_colour) # Sanitize log message to prevent log injection - logger.info("New user-color entry added: username=%s, color=%s", item.username, item.color) + sanitized_username = item.username.replace('\r\n', '').replace('\n', '') + sanitized_color = item.color.replace('\r\n', '').replace('\n', '') + logger.info("New user-color entry added: username=%s, color=%s", sanitized_username, sanitized_color) return item # List all user_colour mappings From ef74860d06a60a153371e9cc3bf7d6b7f17c5f0c Mon Sep 17 00:00:00 2001 From: githubofkrishnadhas Date: Thu, 17 Apr 2025 22:28:37 +0530 Subject: [PATCH 3/3] DEVOPS-326 hotfix commit fix log --- app/quickapi.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/app/quickapi.py b/app/quickapi.py index ff26fb7..15e264f 100644 --- a/app/quickapi.py +++ b/app/quickapi.py @@ -41,9 +41,9 @@ async def create_item(item: UserColorEntry): user_colour.append(item) print(user_colour) # Sanitize log message to prevent log injection - sanitized_username = item.username.replace('\r\n', '').replace('\n', '') - sanitized_color = item.color.replace('\r\n', '').replace('\n', '') - logger.info("New user-color entry added: username=%s, color=%s", sanitized_username, sanitized_color) + sanitized_username = item.name.replace('\r\n', '').replace('\n', '') + sanitized_color = item.favorite_color.replace('\r\n', '').replace('\n', '') + logger.info("New user-color entry added: name=%s, favorite_colour=%s", sanitized_username, sanitized_color) return item # List all user_colour mappings