From a687645d3ff4327ba32464ee06275502c5b4383e Mon Sep 17 00:00:00 2001
From: Peter Koscelansky <koscelansky@live.com>
Date: Wed, 14 Sep 2022 10:11:04 +0200
Subject: [PATCH] Sanitize URL before sending it to logs.

---
 services/queued/internal/queue/queue.go | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/services/queued/internal/queue/queue.go b/services/queued/internal/queue/queue.go
index a99ba762..44651bda 100644
--- a/services/queued/internal/queue/queue.go
+++ b/services/queued/internal/queue/queue.go
@@ -442,7 +442,10 @@ func serverHandler(w http.ResponseWriter, r *http.Request) {
 	if r.URL.Path == "/test" && r.Method == "POST" {
 		w.WriteHeader(processTestRequestInternal(r))
 	} else {
-		log.Printf("<3>Unsupported request %v %v ip %v\n", r.Method, r.URL.Path, r.RemoteAddr)
+		// sanitize path to not allow arbitrary log input
+		path := strings.ReplaceAll(strings.ReplaceAll(r.URL.Path, "\r", ""), "\n", "")
+
+		log.Printf("<3>Unsupported request %v %v ip %v\n", r.Method, path, r.RemoteAddr)
 		w.WriteHeader(http.StatusNotFound)
 	}
 }