Remove line breaks from user log input to prevent log forging (#987)

swisstopo · Jan 26, 2024 · d45742a · d45742a
2 parents 5f4b6d7 + 9e8770a
commit d45742a
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/src/api/Authentication/LegacyApiAuthenticationMiddleware.cs b/src/api/Authentication/LegacyApiAuthenticationMiddleware.cs
@@ -22,7 +22,8 @@ public async Task InvokeAsync(HttpContext context, RequestDelegate next)
 
                 await next.Invoke(context).ConfigureAwait(false);
 
-                logger.LogInformation("Authorized user with subject_id <{SubjectId}> for legacy api accessing route <{Route}>", subjectId.Value, context.Request.Path);
+                var route = context.Request.Path.ToString().ReplaceLineEndings("");
+                logger.LogInformation("Authorized user with subject_id <{SubjectId}> for legacy api accessing route <{Route}>", subjectId.Value, route);
                 return;
             }
         }