Sanitize siteKey input to prevent log injection

Fabinatix97 · Fabinatix97 · commit 49e176031d1b · 2025-08-08T11:36:47.000+02:00
diff --git a/captchaservice-backend/src/main/java/de/muenchen/captchaservice/service/captcha/MetricsService.java b/captchaservice-backend/src/main/java/de/muenchen/captchaservice/service/captcha/MetricsService.java
@@ -51,7 +51,7 @@ public void recordVerifySuccess(String siteKey, SourceAddress sourceAddress) {
 
     public void recordClientSolveTime(String siteKey, SourceAddress sourceAddress, long solveTime) {
         if (solveTime <= 0) {
-            log.warn("Invalid solve time value: {} for site: {}", solveTime, siteKey);
+            log.warn("Invalid solve time value: {} for site: {}", solveTime, sanitizeForLog(siteKey));
             return;
         }
 
@@ -71,4 +71,13 @@ public void initializeInvalidatedPayloadsGauge() {
                 .description("Gauge for the number of currently invalidated payloads")
                 .register(meterRegistry);
     }
+
+    /**
+     * Sanitizes user input for logging to prevent log injection.
+     * Removes newlines and carriage returns.
+     */
+    private static String sanitizeForLog(String input) {
+        if (input == null) return null;
+        return input.replaceAll("[\\r\\n]", "");
+    }
 }
