Files
meshcore-analyzer/cmd
Kpa-clawbot 7b43045043 fix(security): sanitize 3 more log-injection sites missed by #1540 (#1544)
Follow-up to merged #1540. Self-review of #1540 found 3 additional
`log.Printf` sites interpolating MQTT-controlled strings without
`sanitizeLogString` — fixing here for completeness.

## Sites fixed

| File:line | Format | MQTT-controlled fields | Attacker scenario |
|---|---|---|---|
| `cmd/ingestor/main.go:531` | `status: %s (%s)` | `name`, `iata` |
Hostile node sends status with `name="evil\r\n[security] forged-line"` —
appears as a fake log line in operator dashboards / journalctl. |
| `cmd/ingestor/main.go:854` | `channel message: ch%s from %s` |
`channelIdx`, `sender` | Attacker spoofs `sender="evil\r\n[security]
backdoor-installed"` on any channel message — same forged-line outcome.
|
| `cmd/ingestor/main.go:940` | `direct message from %s` | `sender` | DM
injection via crafted sender field, same outcome. |

All three now route through `sanitizeLogString` from
`cmd/ingestor/sanitize_log.go` (added by #1540) which replaces
CR/LF/control bytes with `?`.

## TDD

Red commit (`8b3ad398`) adds 3 testable format helpers
(`formatStatusLog`, `formatChannelMessageLog`, `formatDirectMessageLog`)
plus tests pinning CR/LF stripping. Helpers return raw `fmt.Sprintf`
output, so tests fail on assertion (not build).

Green commit applies `sanitizeLogString` inside the helpers and swaps
the 3 call sites in `main.go` to use them.

Tests red-on-revert (verified locally).

## Scope

Strictly the 3 sites above. No other refactors. No changes to
`sanitizeLogString` itself.

---------

Co-authored-by: clawbot <clawbot@users.noreply.github.com>
2026-06-03 15:01:51 -07:00
..