Logger middleware should escape string values when outputting JSON

Author: aldas

middleware/logger.go

@@ -197,6 +197,7 @@ type LoggerConfig struct {
 	template *fasttemplate.Template
 	colorer  *color.Color
 	pool     *sync.Pool
+	timeNow  func() time.Time
 }
 
 // DefaultLoggerConfig is the default Logger middleware config.
@@ -208,6 +209,7 @@ var DefaultLoggerConfig = LoggerConfig{
 		`,"bytes_in":${bytes_in},"bytes_out":${bytes_out}}` + "\n",
 	CustomTimeFormat: "2006-01-02 15:04:05.00000",
 	colorer:          color.New(),
+	timeNow:          time.Now,
 }
 
 // Logger returns a middleware that logs HTTP requests using the default configuration.
@@ -267,9 +269,18 @@ func LoggerWithConfig(config LoggerConfig) echo.MiddlewareFunc {
 	if config.Format == "" {
 		config.Format = DefaultLoggerConfig.Format
 	}
+	writeString := func(buf *bytes.Buffer, in string) (int, error) { return buf.WriteString(in) }
+	if config.Format[0] == '{' { // format looks like JSON, so we need to escape invalid characters
+		writeString = writeJSONSafeString
+	}
+
 	if config.Output == nil {
 		config.Output = DefaultLoggerConfig.Output
 	}
+	timeNow := DefaultLoggerConfig.timeNow
+	if config.timeNow != nil {
+		timeNow = config.timeNow
+	}
 
 	config.template = fasttemplate.New(config.Format, "${", "}")
 	config.colorer = color.New()
@@ -305,49 +316,47 @@ func LoggerWithConfig(config LoggerConfig) echo.MiddlewareFunc {
 					}
 					return config.CustomTagFunc(c, buf)
 				case "time_unix":
-					return buf.WriteString(strconv.FormatInt(time.Now().Unix(), 10))
+					return buf.WriteString(strconv.FormatInt(timeNow().Unix(), 10))
 				case "time_unix_milli":
-					// go 1.17 or later, it supports time#UnixMilli()
-					return buf.WriteString(strconv.FormatInt(time.Now().UnixNano()/1000000, 10))
+					return buf.WriteString(strconv.FormatInt(timeNow().UnixMilli(), 10))
 				case "time_unix_micro":
-					// go 1.17 or later, it supports time#UnixMicro()
-					return buf.WriteString(strconv.FormatInt(time.Now().UnixNano()/1000, 10))
+					return buf.WriteString(strconv.FormatInt(timeNow().UnixMicro(), 10))
 				case "time_unix_nano":
-					return buf.WriteString(strconv.FormatInt(time.Now().UnixNano(), 10))
+					return buf.WriteString(strconv.FormatInt(timeNow().UnixNano(), 10))
 				case "time_rfc3339":
-					return buf.WriteString(time.Now().Format(time.RFC3339))
+					return buf.WriteString(timeNow().Format(time.RFC3339))
 				case "time_rfc3339_nano":
-					return buf.WriteString(time.Now().Format(time.RFC3339Nano))
+					return buf.WriteString(timeNow().Format(time.RFC3339Nano))
 				case "time_custom":
-					return buf.WriteString(time.Now().Format(config.CustomTimeFormat))
+					return buf.WriteString(timeNow().Format(config.CustomTimeFormat))
 				case "id":
 					id := req.Header.Get(echo.HeaderXRequestID)
 					if id == "" {
 						id = res.Header().Get(echo.HeaderXRequestID)
 					}
-					return buf.WriteString(id)
+					return writeString(buf, id)
 				case "remote_ip":
-					return buf.WriteString(c.RealIP())
+					return writeString(buf, c.RealIP())
 				case "host":
-					return buf.WriteString(req.Host)
+					return writeString(buf, req.Host)
 				case "uri":
-					return buf.WriteString(req.RequestURI)
+					return writeString(buf, req.RequestURI)
 				case "method":
-					return buf.WriteString(req.Method)
+					return writeString(buf, req.Method)
 				case "path":
 					p := req.URL.Path
 					if p == "" {
 						p = "/"
 					}
-					return buf.WriteString(p)
+					return writeString(buf, p)
 				case "route":
-					return buf.WriteString(c.Path())
+					return writeString(buf, c.Path())
 				case "protocol":
-					return buf.WriteString(req.Proto)
+					return writeString(buf, req.Proto)
 				case "referer":
-					return buf.WriteString(req.Referer())
+					return writeString(buf, req.Referer())
 				case "user_agent":
-					return buf.WriteString(req.UserAgent())
+					return writeString(buf, req.UserAgent())
 				case "status":
 					n := res.Status
 					s := config.colorer.Green(n)
@@ -377,17 +386,17 @@ func LoggerWithConfig(config LoggerConfig) echo.MiddlewareFunc {
 					if cl == "" {
 						cl = "0"
 					}
-					return buf.WriteString(cl)
+					return writeString(buf, cl)
 				case "bytes_out":
 					return buf.WriteString(strconv.FormatInt(res.Size, 10))
 				default:
 					switch {
 					case strings.HasPrefix(tag, "header:"):
-						return buf.Write([]byte(c.Request().Header.Get(tag[7:])))
+						return writeString(buf, c.Request().Header.Get(tag[7:]))
 					case strings.HasPrefix(tag, "query:"):
-						return buf.Write([]byte(c.QueryParam(tag[6:])))
+						return writeString(buf, c.QueryParam(tag[6:]))
 					case strings.HasPrefix(tag, "form:"):
-						return buf.Write([]byte(c.FormValue(tag[5:])))
+						return writeString(buf, c.FormValue(tag[5:]))
 					case strings.HasPrefix(tag, "cookie:"):
 						cookie, err := c.Cookie(tag[7:])
 						if err == nil {

middleware/logger_strings.go

@@ -0,0 +1,237 @@
+// Copyright 2010 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package middleware
+
+import (
+	"bytes"
+	"unicode/utf8"
+)
+
+// This function is modified copy from Go standard library encoding/json/encode.go `appendString` function
+// Source: https://github.com/golang/go/blob/36bca3166e18db52687a4d91ead3f98ffe6d00b8/src/encoding/json/encode.go#L999
+func writeJSONSafeString(buf *bytes.Buffer, src string) (int, error) {
+	const hex = "0123456789abcdef"
+
+	written := 0
+	start := 0
+	for i := 0; i < len(src); {
+		if b := src[i]; b < utf8.RuneSelf {
+			if safeSet[b] {
+				i++
+				continue
+			}
+
+			n, err := buf.Write([]byte(src[start:i]))
+			written += n
+			if err != nil {
+				return written, err
+			}
+			switch b {
+			case '\\', '"':
+				n, err := buf.Write([]byte{'\\', b})
+				written += n
+				if err != nil {
+					return written, err
+				}
+			case '\b':
+				n, err := buf.Write([]byte{'\\', 'b'})
+				if err != nil {
+					return n, err
+				}
+			case '\f':
+				n, err := buf.Write([]byte{'\\', 'f'})
+				written += n
+				if err != nil {
+					return written, err
+				}
+			case '\n':
+				n, err := buf.Write([]byte{'\\', 'f'})
+				written += n
+				if err != nil {
+					return written, err
+				}
+			case '\r':
+				n, err := buf.Write([]byte{'\\', 'r'})
+				written += n
+				if err != nil {
+					return written, err
+				}
+			case '\t':
+				n, err := buf.Write([]byte{'\\', 't'})
+				written += n
+				if err != nil {
+					return written, err
+				}
+			default:
+				// This encodes bytes < 0x20 except for \b, \f, \n, \r and \t.
+				// If escapeHTML is set, it also escapes <, >, and &
+				// because they can lead to security holes when
+				// user-controlled strings are rendered into JSON
+				// and served to some browsers.
+				n, err := buf.Write([]byte{'\\', 'u', '0', '0', hex[b>>4], hex[b&0xF]})
+				written += n
+				if err != nil {
+					return written, err
+				}
+			}
+			i++
+			start = i
+			continue
+		}
+		// TODO(https://go.dev/issue/56948): Use generic utf8 functionality.
+		// For now, cast only a small portion of byte slices to a string
+		// so that it can be stack allocated. This slows down []byte slightly
+		// due to the extra copy, but keeps string performance roughly the same.
+		srcN := min(len(src)-i, utf8.UTFMax)
+		c, size := utf8.DecodeRuneInString(src[i : i+srcN])
+		if c == utf8.RuneError && size == 1 {
+			n, err := buf.Write([]byte(src[start:i]))
+			written += n
+			if err != nil {
+				return written, err
+			}
+			n, err = buf.Write([]byte(`\ufffd`))
+			written += n
+			if err != nil {
+				return written, err
+			}
+			i += size
+			start = i
+			continue
+		}
+		// U+2028 is LINE SEPARATOR.
+		// U+2029 is PARAGRAPH SEPARATOR.
+		// They are both technically valid characters in JSON strings,
+		// but don't work in JSONP, which has to be evaluated as JavaScript,
+		// and can lead to security holes there. It is valid JSON to
+		// escape them, so we do so unconditionally.
+		// See https://en.wikipedia.org/wiki/JSON#Safety.
+		if c == '\u2028' || c == '\u2029' {
+			n, err := buf.Write([]byte(src[start:i]))
+			written += n
+			if err != nil {
+				return written, err
+			}
+			n, err = buf.Write([]byte{'\\', 'u', '2', '0', '2', hex[c&0xF]})
+			written += n
+			if err != nil {
+				return written, err
+			}
+
+			i += size
+			start = i
+			continue
+		}
+		i += size
+	}
+	n, err := buf.Write([]byte(src[start:]))
+	written += n
+	return written, err
+}
+
+// safeSet holds the value true if the ASCII character with the given array
+// position can be represented inside a JSON string without any further
+// escaping.
+//
+// All values are true except for the ASCII control characters (0-31), the
+// double quote ("), and the backslash character ("\").
+var safeSet = [utf8.RuneSelf]bool{
+	' ':      true,
+	'!':      true,
+	'"':      false,
+	'#':      true,
+	'$':      true,
+	'%':      true,
+	'&':      true,
+	'\'':     true,
+	'(':      true,
+	')':      true,
+	'*':      true,
+	'+':      true,
+	',':      true,
+	'-':      true,
+	'.':      true,
+	'/':      true,
+	'0':      true,
+	'1':      true,
+	'2':      true,
+	'3':      true,
+	'4':      true,
+	'5':      true,
+	'6':      true,
+	'7':      true,
+	'8':      true,
+	'9':      true,
+	':':      true,
+	';':      true,
+	'<':      true,
+	'=':      true,
+	'>':      true,
+	'?':      true,
+	'@':      true,
+	'A':      true,
+	'B':      true,
+	'C':      true,
+	'D':      true,
+	'E':      true,
+	'F':      true,
+	'G':      true,
+	'H':      true,
+	'I':      true,
+	'J':      true,
+	'K':      true,
+	'L':      true,
+	'M':      true,
+	'N':      true,
+	'O':      true,
+	'P':      true,
+	'Q':      true,
+	'R':      true,
+	'S':      true,
+	'T':      true,
+	'U':      true,
+	'V':      true,
+	'W':      true,
+	'X':      true,
+	'Y':      true,
+	'Z':      true,
+	'[':      true,
+	'\\':     false,
+	']':      true,
+	'^':      true,
+	'_':      true,
+	'`':      true,
+	'a':      true,
+	'b':      true,
+	'c':      true,
+	'd':      true,
+	'e':      true,
+	'f':      true,
+	'g':      true,
+	'h':      true,
+	'i':      true,
+	'j':      true,
+	'k':      true,
+	'l':      true,
+	'm':      true,
+	'n':      true,
+	'o':      true,
+	'p':      true,
+	'q':      true,
+	'r':      true,
+	's':      true,
+	't':      true,
+	'u':      true,
+	'v':      true,
+	'w':      true,
+	'x':      true,
+	'y':      true,
+	'z':      true,
+	'{':      true,
+	'|':      true,
+	'}':      true,
+	'~':      true,
+	'\u007f': true,
+}