Sanitize eventName in SSE server controller before logging it (#1061)

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
nmshd · Feb 27, 2025 · ba43896 · ba43896
1 parent ec80795
commit ba43896
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/Applications/SseServer/src/SseServer/Controllers/EventQueue.cs b/Applications/SseServer/src/SseServer/Controllers/EventQueue.cs
@@ -28,7 +28,8 @@ public void Deregister(string address)
 
     public async Task EnqueueFor(string address, string eventName, CancellationToken cancellationToken)
     {
-        _logger.LogDebug("Enqueueing event '{EventName}'", eventName);
+        var sanitizedEventName = eventName.Replace(Environment.NewLine, "").Replace("\n", "").Replace("\r", "");
+        _logger.LogDebug("Enqueueing event '{EventName}'", sanitizedEventName);
 
         if (!_channels.TryGetValue(address, out var channel))
             throw new ClientNotFoundException();