AI-generated audit finding — this issue was opened from an automated security/correctness audit. It has not been triaged by a human yet; verify the reasoning, reproducibility, and severity before acting on it.
Medium: LoggerMiddleware logs peer-controlled operation names and icerpc request paths without sanitization — CONFIRMED
Affected code:
Verification:
Confirmed. The middleware's LoggerMessage templates interpolate {Operation} and {Path} into the rendered message text. For console/file sinks — the most common logger back ends — this produces literal output containing any control characters the peer sent. A peer can craft an operation name like "op\r\nINFO: fake admin login by root" and produce a forged log line.
The ice path goes through an Identity round-trip that normalizes the path, so only the operation is peer-controlled there. For icerpc, both path and operation are attacker-shaped strings.
Impact:
- Log injection / log forging against text-based sinks.
- Corrupted audit trails and misleading operational diagnostics.
- Parser confusion in downstream log processors that assume one event per line.
Recommendation:
- Escape control characters in
Path and Operation before logging. At minimum, replace CR/LF/tab and other non-printable ASCII with \r / \n / \t escape sequences.
- Consider a shared
SafeLogValue(string) helper to apply the same rule uniformly across the codebase.
- Add regression tests that log requests with embedded newlines in
Operation, and for icerpc, in Path.
Status: Valid, Medium severity.
Source report: src-IceRpc.Logger-audit-2026-04-14.md (finding ``LoggerMiddlewarelogs peer-controlled operation names andicerpc` request paths without sanitization — CONFIRMED`)
Severity (auditor-assigned): Medium
Medium:
LoggerMiddlewarelogs peer-controlled operation names andicerpcrequest paths without sanitization — CONFIRMEDAffected code:
request.Pathandrequest.Operationverbatim on successOperationis an unconstrained wire-decoded string;Pathon icerpc is a mutable string from the request headerVerification:
Confirmed. The middleware's
LoggerMessagetemplates interpolate{Operation}and{Path}into the rendered message text. For console/file sinks — the most common logger back ends — this produces literal output containing any control characters the peer sent. A peer can craft an operation name like"op\r\nINFO: fake admin login by root"and produce a forged log line.The
icepath goes through anIdentityround-trip that normalizes the path, so only the operation is peer-controlled there. For icerpc, both path and operation are attacker-shaped strings.Impact:
Recommendation:
PathandOperationbefore logging. At minimum, replace CR/LF/tab and other non-printable ASCII with\r/\n/\tescape sequences.SafeLogValue(string)helper to apply the same rule uniformly across the codebase.Operation, and for icerpc, inPath.Status: Valid, Medium severity.
Source report: src-IceRpc.Logger-audit-2026-04-14.md (finding ``LoggerMiddleware
logs peer-controlled operation names andicerpc` request paths without sanitization — CONFIRMED`)Severity (auditor-assigned): Medium