Sanitize the inbound X-Request-Id to prevent header and log injection

[mikewheeleer]

Sanitize the client-supplied X-Request-Id

Description

The correlation middleware in src/index.ts trusts the inbound x-request-id header verbatim as long as its length is <= 200, then reflects it into the X-Request-Id response header and into every structured log line and JSON error body. A value containing CRLF or control characters can forge log entries (log injection) or, depending on the downstream proxy, split response headers. This issue restricts the accepted id to a safe character set and otherwise generates a fresh UUID.

Requirements and context

• Repository scope: StableRoute-Org/Stableroute-backend only.
• Accept an inbound x-request-id only when it matches a strict pattern (e.g. ^[A-Za-z0-9._-]{1,200}$); otherwise fall back to randomUUID().
• Continue to set the X-Request-Id response header and echo the id in error bodies, but only with the sanitized value.
• Preserve the existing behavior of generating a UUID when the header is absent.
• Do not change the response shape; this only constrains what value the requestId field can take.

Suggested execution

• Fork the repo and create a branch
• git checkout -b security/request-id-29-sanitize
• Implement changes
  • Write code in: src/index.ts — tighten the id acceptance check in the correlation middleware.
  • Write comprehensive tests in: src/__tests__/index.test.ts — send a valid id (echoed), a CRLF-containing id (replaced with a UUID), an over-length id (replaced), and no id (UUID).
  • Add documentation: document the accepted X-Request-Id format in README.md.
  • Add TSDoc on the sanitization rule.
  • Validate security: assert the response header and error body never contain control characters from the input.
• Test and commit

Test and commit

• Run npm run build, npm run lint, and npm test.
• Cover edge cases: CRLF injection, control chars, over-length, valid id, absent header.
• Paste the full npm test output and a short note on the injection vector in the PR.

Example commit message

fix(security): sanitize inbound X-Request-Id against header/log injection

Guidelines

• Minimum 95 percent test coverage for impacted code.
• Clear, reviewer-focused documentation.
• Timeframe: 96 hours.

Community & contribution rewards

• 💬 Join the StableRoute community on Discord for questions, reviews, and faster merges: https://discord.gg/37aCpusvx
• ⭐ This is a GrantFox OSS / Official Campaign task and may be rewarded. When your PR is merged you'll be prompted to rate the project — if this issue and the maintainers helped you ship, we'd be grateful for a 5-star rating. Clear questions in Discord and tidy, well-tested PRs are the fastest path to a merge and a reward.