Pensar - auto fix for Log Injection Through Unsanitized Twitter Usernames in Logging Statements

[pensarappdev]

Security issue addressed: The original code in create_social_profile_sns logged untrusted user data (specifically the variables user and users) directly using string interpolation, which made it vulnerable to log injection attacks (CWE-117). An attacker could craft usernames containing newline, carriage return, tab, or ANSI escape sequences, potentially manipulating or forging log entries.

How the fix was applied:

1. Import re: Added the import re statement to support regular expressions for escape sequence stripping.
2. Added _neutralize_for_log method: This helper method was added to safely neutralize strings and lists before logging:
   • Removes ANSI escape sequences using regex.
   • Escapes newline, carriage return, and tab characters as \\n, \\r, and \\t.
   • Handles both string and list inputs correctly.
3. Sanitized log variables: Inside the loop over users, assigned user_safe and users_safe by running these through _neutralize_for_log, and used those sanitized versions in both relevant logger.info statements, replacing the direct use of untrusted data.
4. No functional or signature changes: All modifications were limited to logging and necessary sanitization code.

Result: Log messages can no longer be manipulated via control characters from user-controlled input, resolving the CWE-117 log injection flaw as described in the issue metadata.

More Details

Type	Identifier	Message	Severity	Link
Application	CWE-117	Both user and users are derived from external input and are interpolated directly into log messages without any neutralization. If an attacker supplies a value containing newline characters, carriage returns, or ANSI escape codes (e.g. "attacker\n[ERROR] Unauthorized access"), they can inject forged entries, confuse log parsers, or hide malicious activity. This constitutes an Improper Output Neutralization for Logs vulnerability (log-injection / CWE-117).	medium	Link