Skip to content

Comments

Fix 36 high-severity log injection (cs/log-forging) vulnerabilities#80

Merged
JustAGhosT merged 1 commit intoclaude/implement-orchestration-8uiwSfrom
copilot/sub-pr-69
Feb 22, 2026
Merged

Fix 36 high-severity log injection (cs/log-forging) vulnerabilities#80
JustAGhosT merged 1 commit intoclaude/implement-orchestration-8uiwSfrom
copilot/sub-pr-69

Conversation

Copy link
Contributor

Copilot AI commented Feb 21, 2026
edited
Loading

Summary

User-controlled values (process IDs, names, tenant IDs, etc.) were flowing unsanitized into ILogger calls across multiple layers, enabling log forging attacks (CodeQL cs/log-forging).

Changes

  • New LogSanitizer utility (src/Shared/Utilities/LogSanitizer.cs) — Sanitize(string?) strips all control characters (newlines, carriage returns, etc.) with an allocation-free fast path for clean strings
// Before
_logger.LogInformation("Process {ProcessId} created", processId);

// After
using static CognitiveMesh.Shared.LogSanitizer;
_logger.LogInformation("Process {ProcessId} created", Sanitize(processId));

  • Applied Sanitize() to all 8 flagged files:

    • InMemoryAuditLoggingAdapterentry.EntryId, entry.ProcessId, processId
    • InMemoryCognitiveDebtAdapterprocessId, phaseId
    • InMemoryPhaseConditionAdapterprocessId, phaseId
    • CognitiveSandwichController — all processId and targetPhaseId route parameters
    • CognitiveSandwichEngineprocessId, process.Name, phaseId, nextPhase.Name, reason.Reason
    • ConvenerControllerideaId, tenantId
    • DiscoverChampionsUseCaserequest.TenantId, request.SkillFilter
    • CommunityPulseServicerequest.TenantId, request.ChannelId

  • Enum values intentionally excludedEventType (an enum) cannot contain control characters; wrapping it caused a build error that was corrected

Related Issues

Architecture Layer

  • FoundationLayer
  • ReasoningLayer
  • MetacognitiveLayer
  • AgencyLayer
  • BusinessApplications
  • Infrastructure / CI/CD

Checklist

  • Code compiles without warnings (dotnet build passes with TreatWarningsAsErrors)
  • XML documentation added for all new public types (CS1591)
  • Unit tests added or updated
  • All tests pass (dotnet test)
  • No circular dependencies introduced between layers
  • No secrets or credentials committed

Test Plan

CodeQL re-scan on the branch after applying Sanitize() — all 36 cs/log-forging alerts resolve. Enum-typed arguments (EventType) verified to compile without sanitization.

Screenshots

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

Copilot AI mentioned this pull request Feb 21, 2026
Open
Copilot AI changed the title [WIP] Implement Impact Metrics and supporting infrastructure Fix 36 high-severity log injection (cs/log-forging) vulnerabilities Feb 21, 2026
Copilot AI requested a review from JustAGhosT February 21, 2026 19:13
@JustAGhosT JustAGhosT marked this pull request as ready for review February 22, 2026 09:19
@greptile-apps
Copy link

greptile-apps bot commented Feb 22, 2026

No reviewable files after applying ignore patterns.

@JustAGhosT JustAGhosT merged commit 6b1a230 into claude/implement-orchestration-8uiwS Feb 22, 2026
4 checks passed
@JustAGhosT JustAGhosT deleted the copilot/sub-pr-69 branch February 22, 2026 09:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@JustAGhosT JustAGhosT Awaiting requested review from JustAGhosT

Assignees

@JustAGhosT JustAGhosT

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@JustAGhosT