From 58a36218ab1f80e7bd45c35378393b52d7040d08 Mon Sep 17 00:00:00 2001
From: italolelis <italolelis@gmail.com>
Date: Tue, 14 Dec 2021 14:23:58 +0000
Subject: [PATCH 1/2] Sanitize inputs before using them

---
 internal/pkg/log/middleware.go | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/internal/pkg/log/middleware.go b/internal/pkg/log/middleware.go
index 1d3296e..b50ee79 100644
--- a/internal/pkg/log/middleware.go
+++ b/internal/pkg/log/middleware.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 	"net/http"
+	"strings"
 	"time"
 
 	"github.com/go-chi/chi/middleware"
@@ -26,7 +27,7 @@ type StructuredLogger struct {
 }
 
 func (l *StructuredLogger) NewLogEntry(r *http.Request) middleware.LogEntry {
-	traceID := r.Header.Get(TraceIDHeader)
+	traceID := sanitize(r.Header.Get(TraceIDHeader))
 
 	// adds the trace id into the request context.
 	ctx := context.WithValue(r.Context(), traceIDKey, traceID)
@@ -38,8 +39,8 @@ func (l *StructuredLogger) NewLogEntry(r *http.Request) middleware.LogEntry {
 		"host", r.Host,
 		"request", r.RequestURI,
 		"remote-addr", r.RemoteAddr,
-		"referer", r.Referer(),
-		"user-agent", r.UserAgent(),
+		"referer", sanitize(r.Referer()),
+		"user-agent", sanitize(r.UserAgent()),
 	)
 
 	logger.Info("request started")
@@ -66,3 +67,9 @@ func (l *StructuredLoggerEntry) Panic(v interface{}, stack []byte) {
 		String: fmt.Sprintf("%+v", v),
 	})
 }
+
+func sanitize(s string) string {
+	s = strings.Replace(s, "\n", "", -1)
+
+	return strings.Replace(s, "\r", "", -1)
+}

From 5f2363d153d70d022e244f14578893cd777c9791 Mon Sep 17 00:00:00 2001
From: italolelis <italolelis@gmail.com>
Date: Tue, 14 Dec 2021 14:34:53 +0000
Subject: [PATCH 2/2] Make CodeQL happy

---
 internal/pkg/log/middleware.go | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/internal/pkg/log/middleware.go b/internal/pkg/log/middleware.go
index b50ee79..1605427 100644
--- a/internal/pkg/log/middleware.go
+++ b/internal/pkg/log/middleware.go
@@ -28,6 +28,8 @@ type StructuredLogger struct {
 
 func (l *StructuredLogger) NewLogEntry(r *http.Request) middleware.LogEntry {
 	traceID := sanitize(r.Header.Get(TraceIDHeader))
+	referer := sanitize(r.Referer())
+	userAgent := sanitize(r.UserAgent())
 
 	// adds the trace id into the request context.
 	ctx := context.WithValue(r.Context(), traceIDKey, traceID)
@@ -39,8 +41,8 @@ func (l *StructuredLogger) NewLogEntry(r *http.Request) middleware.LogEntry {
 		"host", r.Host,
 		"request", r.RequestURI,
 		"remote-addr", r.RemoteAddr,
-		"referer", sanitize(r.Referer()),
-		"user-agent", sanitize(r.UserAgent()),
+		"referer", referer,
+		"user-agent", userAgent,
 	)
 
 	logger.Info("request started")