Description
The JSON logging formatter in src/main.rs (lines 62-72) interpolates record.args() directly into a JSON string template using format!() without proper JSON escaping.
Since user-controlled data (namespace and flag names from URL path parameters) gets logged at lines 146 and 160, an attacker can craft names containing quotes, backslashes, or newlines to:
- Break JSON log structure
- Inject fake log entries
- Potentially exploit downstream log processing systems (SIEMs)
Severity
Medium
Suggested Fix
Use serde_json::json!() macro to construct the log entry, which properly escapes all string values.
Description
The JSON logging formatter in
src/main.rs(lines 62-72) interpolatesrecord.args()directly into a JSON string template usingformat!()without proper JSON escaping.Since user-controlled data (namespace and flag names from URL path parameters) gets logged at lines 146 and 160, an attacker can craft names containing quotes, backslashes, or newlines to:
Severity
Medium
Suggested Fix
Use
serde_json::json!()macro to construct the log entry, which properly escapes all string values.