From 1e068637954d4ce0d6666f9b0be885954c51fbae Mon Sep 17 00:00:00 2001 From: John Wang Date: Sat, 7 Feb 2026 07:15:18 -0800 Subject: [PATCH] Potential fix for code scanning alert no. 1: Log entries created from user input Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- examples/twilio-agent/main.go | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/examples/twilio-agent/main.go b/examples/twilio-agent/main.go index 87d8800..dcdf2fb 100644 --- a/examples/twilio-agent/main.go +++ b/examples/twilio-agent/main.go @@ -27,6 +27,7 @@ import ( "net/http" "os" "os/signal" + "strings" "syscall" "time" ) @@ -76,7 +77,12 @@ func handleInboundCall(w http.ResponseWriter, r *http.Request) { to := r.FormValue("To") callSID := r.FormValue("CallSid") - log.Printf("Incoming call: %s -> %s (SID: %s)", from, to, callSID) + // Sanitize values before logging to prevent log injection via newlines + safeFrom := strings.ReplaceAll(strings.ReplaceAll(from, "\n", ""), "\r", "") + safeTo := strings.ReplaceAll(strings.ReplaceAll(to, "\n", ""), "\r", "") + safeCallSID := strings.ReplaceAll(strings.ReplaceAll(callSID, "\n", ""), "\r", "") + + log.Printf("Incoming call: %s -> %s (SID: %s)", safeFrom, safeTo, safeCallSID) // Return TwiML connecting to ConversationRelay // This tells Twilio to open a WebSocket to our agent