From 0502df6fdbe9e3f2014a0e9b6094b38be02f4aa9 Mon Sep 17 00:00:00 2001 From: Arun Kumar Thiagarajan Date: Wed, 25 Mar 2026 08:51:15 +0530 Subject: [PATCH] fix(security): sanitize telemetry JSONL inputs against injection MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit SKILL, OUTCOME, SESSION_ID, SOURCE, and EVENT_TYPE values go directly into printf %s for JSONL output. If any contain double quotes, backslashes, or newlines, the JSON breaks — or worse, injects arbitrary fields. Fix: strip quotes, backslashes, and control characters from all string fields before JSONL construction via json_safe() helper. --- bin/gstack-telemetry-log | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/bin/gstack-telemetry-log b/bin/gstack-telemetry-log index 5cddc519..2573f29d 100755 --- a/bin/gstack-telemetry-log +++ b/bin/gstack-telemetry-log @@ -151,6 +151,14 @@ fi # ─── Construct and append JSON ─────────────────────────────── mkdir -p "$ANALYTICS_DIR" +# Sanitize string fields for JSON safety (strip quotes, backslashes, control chars) +json_safe() { printf '%s' "$1" | tr -d '"\\\n\r\t' | head -c 200; } +SKILL="$(json_safe "$SKILL")" +OUTCOME="$(json_safe "$OUTCOME")" +SESSION_ID="$(json_safe "$SESSION_ID")" +SOURCE="$(json_safe "$SOURCE")" +EVENT_TYPE="$(json_safe "$EVENT_TYPE")" + # Escape null fields ERR_FIELD="null" [ -n "$ERROR_CLASS" ] && ERR_FIELD="\"$ERROR_CLASS\""