Merge remote-tracking branch 'origin/develop' into webv2

2022-10-02 21:44:06 -07:00
parent f1a2a918c8 39327f6b4a
commit 7fb97c56aa
21 changed files with 695 additions and 419 deletions
--- a/core/chat/events.go
+++ b/core/chat/events.go
@@ -36,7 +36,7 @@ func (s *Server) userNameChanged(eventData chatClientEvent) {
 		normalizedName = strings.ToLower(normalizedName)
 		if strings.Contains(normalizedName, proposedUsername) {
 			// Denied.
-			log.Debugln(eventData.client.User.DisplayName, "blocked from changing name to", proposedUsername, "due to blocked name", normalizedName)
+			log.Debugln(logSanitize(eventData.client.User.DisplayName), "blocked from changing name to", logSanitize(proposedUsername), "due to blocked name", normalizedName)
 			message := fmt.Sprintf("You cannot change your name to **%s**.", proposedUsername)
 			s.sendActionToClient(eventData.client, message)

@@ -160,3 +160,11 @@ func (s *Server) userMessageSent(eventData chatClientEvent) {
 	eventData.client.MessageCount++
 	_lastSeenCache[event.User.ID] = time.Now()
 }
+
+func logSanitize(userValue string) string {
+	// strip carriage return and newline from user-submitted values to prevent log injection
+	sanitizedValue := strings.ReplaceAll(userValue, "\n", "")
+	sanitizedValue = strings.ReplaceAll(sanitizedValue, "\r", "")
+
+	return fmt.Sprintf("userSuppliedValue(%s)", sanitizedValue)
+}
--- a/core/chat/server.go
+++ b/core/chat/server.go
@@ -362,7 +362,7 @@ func (s *Server) eventReceived(event chatClientEvent) {
 	case events.UserColorChanged:
 		s.userColorChanged(event)
 	default:
-		log.Debugln(eventType, "event not found:", typecheck)
+		log.Debugln(logSanitize(fmt.Sprint(eventType)), "event not found:", logSanitize(fmt.Sprint(typecheck)))
 	}
 }