LogalDeveloper/owncast
LogalDeveloper/owncast
0
Fork 0
Code

Sanitize user submitted values before logging (#2134)

Browse Source 
* strip line breaks from user-submitted values before logging

* finish comment
This commit is contained in:
Matt Owens 2022-09-21 13:03:16 -04:00 committed by GitHub
parent b9fcca941d
commit 5dafdb479d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 10 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
core/chat/events.go
View File

@ -36,7 +36,7 @@ func (s *Server) userNameChanged(eventData chatClientEvent) {
normalizedName = strings.ToLower(normalizedName)
if strings.Contains(normalizedName, proposedUsername) {
// Denied.
log.Debugln(eventData.client.User.DisplayName, "blocked from changing name to", proposedUsername, "due to blocked name", normalizedName)
log.Debugln(logSanitize(eventData.client.User.DisplayName), "blocked from changing name to", logSanitize(proposedUsername), "due to blocked name", normalizedName)
message := fmt.Sprintf("You cannot change your name to **%s**.", proposedUsername)
s.sendActionToClient(eventData.client, message)
@ -138,3 +138,11 @@ func (s *Server) userMessageSent(eventData chatClientEvent) {
eventData.client.MessageCount++
_lastSeenCache[event.User.ID] = time.Now()
}
func logSanitize(userValue string) string {
// strip carriage return and newline from user-submitted values to prevent log injection
sanitizedValue := strings.Replace(userValue, "\n", "", -1)
sanitizedValue = strings.Replace(sanitizedValue, "\r", "", -1)
return fmt.Sprintf("userSuppliedValue(%s)", sanitizedValue)
}

2
core/chat/server.go
View File

@ -355,7 +355,7 @@ func (s *Server) eventReceived(event chatClientEvent) {
s.userNameChanged(event)
default:
log.Debugln(eventType, "event not found:", typecheck)
log.Debugln(logSanitize(fmt.Sprint(eventType)), "event not found:", logSanitize(fmt.Sprint(typecheck)))
}
}