Description
The JSON logging formatter in src/main.rs (lines 62-72) interpolates record.args() directly into a JSON string template using format!() without proper JSON escaping.
Since user-controlled data (namespace and flag names from URL path parameters) gets logged at lines 146 and 160, an attacker can craft names containing ", \, or newlines to:
- Break JSON log structure
- Inject fake log entries
- Potentially exploit downstream log processing systems (SIEMs)
Severity
Medium
Reproduction
Send a PUT request with a flag name containing a double quote:
PUT /api/flags/test/flag"},{"level":"WARN","message":"injected
Suggested Fix
Use serde_json::json!() macro to construct the log entry, which properly escapes all string values.
Description
The JSON logging formatter in
src/main.rs(lines 62-72) interpolatesrecord.args()directly into a JSON string template usingformat!()without proper JSON escaping.Since user-controlled data (namespace and flag names from URL path parameters) gets logged at lines 146 and 160, an attacker can craft names containing
",\, or newlines to:Severity
Medium
Reproduction
Send a PUT request with a flag name containing a double quote:
Suggested Fix
Use
serde_json::json!()macro to construct the log entry, which properly escapes all string values.