From 44d23de514ddbfeff4e319005f24d8726b912200 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yuniel=20Acosta=20P=C3=A9rez?= <33158051+yacosta738@users.noreply.github.com> Date: Mon, 30 Sep 2024 19:31:12 +0200 Subject: [PATCH 1/6] Fix code scanning alert no. 173: Log Injection MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: Yuniel Acosta Pérez <33158051+yacosta738@users.noreply.github.com> --- .../com/lyra/app/users/application/UserRegistrator.kt | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/apps/backend/src/main/kotlin/com/lyra/app/users/application/UserRegistrator.kt b/apps/backend/src/main/kotlin/com/lyra/app/users/application/UserRegistrator.kt index 7871a8e5..1d9d3d0a 100644 --- a/apps/backend/src/main/kotlin/com/lyra/app/users/application/UserRegistrator.kt +++ b/apps/backend/src/main/kotlin/com/lyra/app/users/application/UserRegistrator.kt @@ -24,7 +24,8 @@ class UserRegistrator( } suspend fun registerNewUser(registerUserCommand: RegisterUserCommand): ApiDataResponse { - log.info("Registering new user with email: {}", registerUserCommand.email) + val sanitizedEmail = sanitizeInput(registerUserCommand.email) + log.info("Registering new user with email: {}", sanitizedEmail) return try { val user = registerUserCommand.toUser() val createdUser = userCreator.create(user) @@ -61,5 +62,9 @@ class UserRegistrator( companion object { private val log = LoggerFactory.getLogger(UserRegistrator::class.java) + + private fun sanitizeInput(input: String): String { + return input.replace("\n", "").replace("\r", "") + } } } From 26b190bca78424b316b37fbdbc965056b74dbfba Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yuniel=20Acosta=20P=C3=A9rez?= <33158051+yacosta738@users.noreply.github.com> Date: Mon, 30 Sep 2024 19:33:47 +0200 Subject: [PATCH 2/6] Fix code scanning alert no. 174: Log Injection MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: Yuniel Acosta Pérez <33158051+yacosta738@users.noreply.github.com> --- .../app/users/infrastructure/http/UserRegisterController.kt | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/apps/backend/src/main/kotlin/com/lyra/app/users/infrastructure/http/UserRegisterController.kt b/apps/backend/src/main/kotlin/com/lyra/app/users/infrastructure/http/UserRegisterController.kt index 32f5d487..3e5edd42 100644 --- a/apps/backend/src/main/kotlin/com/lyra/app/users/infrastructure/http/UserRegisterController.kt +++ b/apps/backend/src/main/kotlin/com/lyra/app/users/infrastructure/http/UserRegisterController.kt @@ -30,7 +30,8 @@ class UserRegisterController(private val userRegistrator: UserRegistrator) { @PostMapping("/register") suspend fun registerUser(@Validated @RequestBody registerUserRequest: RegisterUserRequest): ResponseEntity> { - log.info("Registering new user with email: {}", registerUserRequest.email) + val sanitizedEmail = registerUserRequest.email.replace(Regex("[\\r\\n]"), "") + log.info("Registering new user with email: {}", sanitizedEmail) return try { val response = userRegistrator.registerNewUser(registerUserRequest.toRegisterUserCommand()) mapRegistrationResult(response) From ce6d89d4f47d6a2590940e31ad5b87271eb32a06 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yuniel=20Acosta=20P=C3=A9rez?= <33158051+yacosta738@users.noreply.github.com> Date: Mon, 30 Sep 2024 19:34:09 +0200 Subject: [PATCH 3/6] Fix code scanning alert no. 167: Log Injection MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: Yuniel Acosta Pérez <33158051+yacosta738@users.noreply.github.com> --- .../authentication/application/AuthenticateUserQueryHandler.kt | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/apps/backend/src/main/kotlin/com/lyra/app/authentication/application/AuthenticateUserQueryHandler.kt b/apps/backend/src/main/kotlin/com/lyra/app/authentication/application/AuthenticateUserQueryHandler.kt index 5edf2b79..1fa7ad9b 100644 --- a/apps/backend/src/main/kotlin/com/lyra/app/authentication/application/AuthenticateUserQueryHandler.kt +++ b/apps/backend/src/main/kotlin/com/lyra/app/authentication/application/AuthenticateUserQueryHandler.kt @@ -24,7 +24,8 @@ class AuthenticateUserQueryHandler(private val authenticator: UserAuthenticatorS * @return The response of the query. */ override suspend fun handle(query: AuthenticateUserQuery): AccessToken { - log.info("Authenticating user with username: {}", query.username) + val sanitizedUsername = query.username.replace("\n", "").replace("\r", "") + log.info("Authenticating user with username: {}", sanitizedUsername) val username = Username(query.username) val password = Credential(CredentialId(UUID.randomUUID()), query.password) return authenticator.authenticate(username, password) From 45374762bbb7e2f4a10f806e9ce5798627a055cf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yuniel=20Acosta=20P=C3=A9rez?= <33158051+yacosta738@users.noreply.github.com> Date: Mon, 30 Sep 2024 20:28:45 +0200 Subject: [PATCH 4/6] fix: code scanning alert no. 317: Log Injection MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: Yuniel Acosta Pérez <33158051+yacosta738@users.noreply.github.com> --- .../app/users/infrastructure/http/UserRegisterController.kt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps/backend/src/main/kotlin/com/lyra/app/users/infrastructure/http/UserRegisterController.kt b/apps/backend/src/main/kotlin/com/lyra/app/users/infrastructure/http/UserRegisterController.kt index 3e5edd42..5b8a5689 100644 --- a/apps/backend/src/main/kotlin/com/lyra/app/users/infrastructure/http/UserRegisterController.kt +++ b/apps/backend/src/main/kotlin/com/lyra/app/users/infrastructure/http/UserRegisterController.kt @@ -30,7 +30,7 @@ class UserRegisterController(private val userRegistrator: UserRegistrator) { @PostMapping("/register") suspend fun registerUser(@Validated @RequestBody registerUserRequest: RegisterUserRequest): ResponseEntity> { - val sanitizedEmail = registerUserRequest.email.replace(Regex("[\\r\\n]"), "") + val sanitizedEmail = registerUserRequest.email.replace(Regex("[^a-zA-Z0-9@._-]"), "") log.info("Registering new user with email: {}", sanitizedEmail) return try { val response = userRegistrator.registerNewUser(registerUserRequest.toRegisterUserCommand()) From b4a1013e20eaedf13968e0b007f34d1ddd7e6b94 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yuniel=20Acosta=20P=C3=A9rez?= <33158051+yacosta738@users.noreply.github.com> Date: Mon, 30 Sep 2024 20:36:09 +0200 Subject: [PATCH 5/6] fix: code scanning alert no. 174: Log Injection #352 --- .../app/users/infrastructure/http/UserRegisterController.kt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/apps/backend/src/main/kotlin/com/lyra/app/users/infrastructure/http/UserRegisterController.kt b/apps/backend/src/main/kotlin/com/lyra/app/users/infrastructure/http/UserRegisterController.kt index 5b8a5689..b9468e83 100644 --- a/apps/backend/src/main/kotlin/com/lyra/app/users/infrastructure/http/UserRegisterController.kt +++ b/apps/backend/src/main/kotlin/com/lyra/app/users/infrastructure/http/UserRegisterController.kt @@ -8,6 +8,7 @@ import com.lyra.app.users.infrastructure.http.request.RegisterUserRequest import io.swagger.v3.oas.annotations.Operation import io.swagger.v3.oas.annotations.responses.ApiResponse import io.swagger.v3.oas.annotations.responses.ApiResponses +import org.apache.commons.text.StringEscapeUtils import org.slf4j.LoggerFactory import org.springframework.http.HttpStatus import org.springframework.http.ResponseEntity @@ -30,8 +31,7 @@ class UserRegisterController(private val userRegistrator: UserRegistrator) { @PostMapping("/register") suspend fun registerUser(@Validated @RequestBody registerUserRequest: RegisterUserRequest): ResponseEntity> { - val sanitizedEmail = registerUserRequest.email.replace(Regex("[^a-zA-Z0-9@._-]"), "") - log.info("Registering new user with email: {}", sanitizedEmail) + log.info("Registering new user with email: {}", StringEscapeUtils.escapeJava(registerUserRequest.email)) return try { val response = userRegistrator.registerNewUser(registerUserRequest.toRegisterUserCommand()) mapRegistrationResult(response) From f527add96eb65a926a714e0946dab82e1258dac3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yuniel=20Acosta=20P=C3=A9rez?= <33158051+yacosta738@users.noreply.github.com> Date: Mon, 30 Sep 2024 20:39:07 +0200 Subject: [PATCH 6/6] fix: code scanning alert no. 173: Log Injection #351 --- .../com/lyra/app/users/application/UserRegistrator.kt | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/apps/backend/src/main/kotlin/com/lyra/app/users/application/UserRegistrator.kt b/apps/backend/src/main/kotlin/com/lyra/app/users/application/UserRegistrator.kt index 1d9d3d0a..0f488b75 100644 --- a/apps/backend/src/main/kotlin/com/lyra/app/users/application/UserRegistrator.kt +++ b/apps/backend/src/main/kotlin/com/lyra/app/users/application/UserRegistrator.kt @@ -10,6 +10,7 @@ import com.lyra.common.domain.Service import com.lyra.common.domain.bus.event.EventBroadcaster import com.lyra.common.domain.bus.event.EventPublisher import com.lyra.common.domain.error.BusinessRuleValidationException +import org.apache.commons.text.StringEscapeUtils import org.slf4j.LoggerFactory @Service @@ -24,8 +25,10 @@ class UserRegistrator( } suspend fun registerNewUser(registerUserCommand: RegisterUserCommand): ApiDataResponse { - val sanitizedEmail = sanitizeInput(registerUserCommand.email) - log.info("Registering new user with email: {}", sanitizedEmail) + log.info( + "Registering new user with email: {}", + StringEscapeUtils.escapeJava(registerUserCommand.email), + ) return try { val user = registerUserCommand.toUser() val createdUser = userCreator.create(user) @@ -62,9 +65,5 @@ class UserRegistrator( companion object { private val log = LoggerFactory.getLogger(UserRegistrator::class.java) - - private fun sanitizeInput(input: String): String { - return input.replace("\n", "").replace("\r", "") - } } }