Skip to content

Fix log injection and information disclosure vulnerabilities#1598

Closed
Copilot wants to merge 5 commits intomainfrom
copilot/fix-security-issues
Closed

Fix log injection and information disclosure vulnerabilities#1598
Copilot wants to merge 5 commits intomainfrom
copilot/fix-security-issues

Conversation

Copy link
Contributor

Copilot AI commented Mar 3, 2026
edited
Loading

Security audit of the codebase identified two classes of vulnerabilities: log forging via embedded newlines in user-controlled input, and exception message leakage to RESP clients.

Log injection in FileLoggerProvider (CWE-117)

FileLoggerOutput.Log() wrote formatter output directly to file without sanitizing newlines. RESP commands like DEBUG LOG or CLIENT KILL accept arbitrary user input that flows into structured logging parameters — an attacker could inject fake log entries:

DEBUG LOG "benign\n[000.2026-01-01] (Error) <Security> Admin access granted from 10.0.0.1"

Fix: escape \r\n, \r, \n in the formatted message before writing. Exception stack traces (appended separately) are unaffected.

var formattedMessage = (formatter(state, exception) ?? string.Empty)
    .Replace("\r\n", "\\r\\n")
    .Replace("\r", "\\r")
    .Replace("\n", "\\n");

Information disclosure in error responses (CWE-209)

  • ACL SAVE and PURGEBP catch handlers forwarded raw ex.Message to clients via TryWriteError($"ERR {ex.Message}", ...), potentially exposing file paths, OS details, or internal state.
  • Replaced with static generic error messages. Full exceptions remain in server-side logs.

Tests

  • FileLoggerOutputTests — verifies newlines are escaped, exceptions preserve real newlines, and normal messages pass through unchanged.

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

Copilot AI and others added 4 commits March 4, 2026 00:02
@TalZaccai
Initial plan for security fixes
808420e 
Co-authored-by: TalZaccai <18443527+TalZaccai@users.noreply.github.com>
@TalZaccai
Fix log injection vulnerability in FileLoggerProvider and add tests
78063a9 
Sanitize formatted log messages in FileLoggerOutput.Log() by escaping
embedded newline characters (\r\n, \r, \n) to prevent log forging attacks.
Exception stack traces are preserved as they are added separately.

Co-authored-by: TalZaccai <18443527+TalZaccai@users.noreply.github.com>
@TalZaccai
Fix information disclosure in ACL SAVE and PURGEBP error responses
267df78 
Replace raw exception messages sent to RESP clients with generic error
messages. The full exception details are still logged server-side.
This prevents potential exposure of file paths, system details, and
internal implementation information to connected clients.

Co-authored-by: TalZaccai <18443527+TalZaccai@users.noreply.github.com>
@TalZaccai
Fix code review feedback: add private access modifier to test field
662e9bc 
Co-authored-by: TalZaccai <18443527+TalZaccai@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix open security issues Fix log injection and information disclosure vulnerabilities Mar 4, 2026
@TalZaccai TalZaccai closed this Mar 4, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@TalZaccai TalZaccai

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@TalZaccai