codeql/rust/ql/src/queries/security/CWE-117/LogInjectionGood.rs at d72efc52f7f031f497e81dbcbea2bc6dc695e9b8 · github/codeql · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
use std::env;
use log::{info, error};

fn sanitize_for_logging(input: &str) -> String {
    // Remove newlines and carriage returns to prevent log injection
    input.replace('\n', "").replace('\r', "")
}

fn main() {
    env_logger::init();

    // Get username from command line arguments
    let args: Vec<String> = env::args().collect();
    let username = args.get(1).unwrap_or(&String::from("Guest"));

    // GOOD: log message constructed with sanitized user input
    let sanitized_username = sanitize_for_logging(username);
    info!("User login attempt: {}", sanitized_username);

    // GOOD: another example with error logging
    if username.is_empty() {
        error!("Login failed for user: {}", sanitized_username);
    }

    // GOOD: formatted string with sanitized user input
    let message = format!("Processing request for user: {}", sanitized_username);
    info!("{}", message);
}