sol/upaas
1
0
Fork 0
forked from sneak/upaas
Code Issues 2 Pull Requests Wiki Activity

feat: sanitize container log output beyond Content-Type

Browse Source 
Add SanitizeLogs() that strips ANSI escape sequences and non-printable
control characters (preserving newlines, carriage returns, and tabs)
from all container and deployment log output paths:

- HandleAppLogs (text/plain response)
- HandleDeploymentLogsAPI (JSON response)
- HandleContainerLogsAPI (JSON response)

Container log output is attacker-controlled data. Content-Type alone
is insufficient — the data itself must be sanitized before serving.

Includes comprehensive test coverage for the sanitization function.
This commit is contained in:
user
2026-02-19 20:36:13 -08:00
parent 1417a87dff
commit 387a0f1d9a
3 changed files with 118 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
internal/handlers/app.go
View File

@@ -499,7 +499,8 @@ func (h *Handlers) HandleAppLogs() http.HandlerFunc {
return
}
_, _ = writer.Write([]byte(logs))
_, _ = writer.Write([]byte(SanitizeLogs(logs)))
}
}
@@ -534,7 +535,7 @@ func (h *Handlers) HandleDeploymentLogsAPI() http.HandlerFunc {
logs := ""
if deployment.Logs.Valid {
logs = deployment.Logs.String
logs = SanitizeLogs(deployment.Logs.String)
}
response := map[string]any{
@@ -661,7 +662,7 @@ func (h *Handlers) HandleContainerLogsAPI() http.HandlerFunc {
}
response := map[string]any{
"logs": logs,
"logs": SanitizeLogs(logs),
"status": status,
}