[FIX][SECURITY]: Add log sanitizer utility to prevent log injection attacks (#3000) (#3227)

* Added utility for strips and control character from values before logging

Signed-off-by: Smruti Sahoo <smruti.sahoo1@ibm.com>

* fix(tests): remove unused pytest import from log sanitizer tests

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

* style(tests): remove trailing whitespace in log sanitizer tests

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

---------

Signed-off-by: Smruti Sahoo <smruti.sahoo1@ibm.com>
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
Co-authored-by: Smruti Sahoo <smruti.sahoo1@ibm.com>
Co-authored-by: Mihai Criveti <crivetimihai@gmail.com>
Signed-off-by: Yosief Eyob <yosiefogbazion@gmail.com>

Author: 3 people

mcpgateway/routers/oauth_router.py

@@ -35,6 +35,7 @@
 from mcpgateway.services.encryption_service import protect_oauth_config_for_storage
 from mcpgateway.services.oauth_manager import OAuthError, OAuthManager
 from mcpgateway.services.token_storage_service import TokenStorageService
+from mcpgateway.utils.log_sanitizer import sanitize_for_log
 
 logger = logging.getLogger(__name__)
 
@@ -451,7 +452,8 @@ async def oauth_callback(
         if error:
             error_text = escape(error)
             description_text = escape(error_description or "OAuth provider returned an authorization error.")
-            logger.warning(f"OAuth provider returned error callback: error={error}, description={error_description}")
+            # Sanitize untrusted query parameters before logging to prevent log injection
+            logger.warning(f"OAuth provider returned error callback: error={sanitize_for_log(error)}, description={sanitize_for_log(error_description)}")
             return HTMLResponse(
                 content=f"""
                 <!DOCTYPE html>

mcpgateway/routers/sso.py

@@ -24,6 +24,7 @@
 from mcpgateway.middleware.rbac import get_current_user_with_permissions, require_permission
 from mcpgateway.services.logging_service import LoggingService
 from mcpgateway.services.sso_service import SSOService
+from mcpgateway.utils.log_sanitizer import sanitize_for_log
 
 # Initialize logging
 logging_service = LoggingService()
@@ -252,7 +253,8 @@ async def initiate_sso_login(
     # Validate redirect_uri to prevent open redirect attacks
     # Uses server-side allowlist (allowed_origins, app_domain) - does NOT trust Host header
     if not _validate_redirect_uri(redirect_uri, request):
-        logger.warning(f"SSO login rejected - invalid redirect_uri: {redirect_uri}")
+        # Sanitize untrusted redirect_uri before logging to prevent log injection
+        logger.warning(f"SSO login rejected - invalid redirect_uri: {sanitize_for_log(redirect_uri)}")
         raise HTTPException(
             status_code=status.HTTP_400_BAD_REQUEST,
             detail="Invalid redirect_uri. Must be a relative path or URL matching allowed origins.",

mcpgateway/routers/well_known.py

@@ -26,6 +26,7 @@
 from mcpgateway.db import get_db
 from mcpgateway.services.logging_service import LoggingService
 from mcpgateway.services.server_service import ServerError, ServerNotFoundError, ServerService
+from mcpgateway.utils.log_sanitizer import sanitize_for_log
 from mcpgateway.utils.verify_credentials import require_auth
 
 # Get logger instance
@@ -164,19 +165,22 @@ async def get_oauth_protected_resource_rfc9728(
 
     # Validate path structure
     if len(path_parts) < 2 or path_parts[0] != "servers":
-        logger.debug(f"Invalid RFC 9728 path format: {path}")
+        # Sanitize untrusted path before logging to prevent log injection
+        logger.debug(f"Invalid RFC 9728 path format: {sanitize_for_log(path)}")
         raise HTTPException(status_code=404, detail="Invalid resource path format. Expected: /.well-known/oauth-protected-resource/servers/{server_id}/mcp")
 
     server_id = path_parts[1]
 
     # Validate server_id is a valid UUID (prevents path traversal and injection)
     if not UUID_PATTERN.match(server_id):
-        logger.warning(f"Invalid server_id format (not a UUID): {server_id}")
+        # Sanitize untrusted server_id before logging to prevent log injection
+        logger.warning(f"Invalid server_id format (not a UUID): {sanitize_for_log(server_id)}")
         raise HTTPException(status_code=404, detail="Invalid server_id format. Must be a valid UUID.")
 
     # Reject paths with extra segments after /mcp (e.g., servers/uuid/mcp/extra)
     if len(path_parts) > 3:
-        logger.warning(f"RFC 9728 path has unexpected segments: {path}")
+        # Sanitize untrusted path before logging to prevent log injection
+        logger.warning(f"RFC 9728 path has unexpected segments: {sanitize_for_log(path)}")
         raise HTTPException(status_code=404, detail="Invalid resource path format. Expected: /.well-known/oauth-protected-resource/servers/{server_id}/mcp")
 
     # Build resource URL with /mcp suffix per MCP specification

mcpgateway/utils/log_sanitizer.py

@@ -0,0 +1,146 @@
+# -*- coding: utf-8 -*-
+"""Location: ./mcpgateway/utils/log_sanitizer.py
+Copyright 2025
+SPDX-License-Identifier: Apache-2.0
+
+Log Sanitization Utility.
+
+This module provides utilities to sanitize untrusted input before logging to prevent
+log injection attacks. Control characters like newlines (\n, \r) can be used to inject
+fabricated log entries when logging unauthenticated user input.
+
+Security Context:
+    Log injection occurs when an attacker includes control characters (especially newlines)
+    in query parameters, headers, or other user-controlled input that gets logged. When
+    URL-decoded by the ASGI framework, these characters are passed to Python's logging
+    module which does not sanitize them, allowing injection of fake log lines.
+
+    Example attack:
+        GET /oauth/callback?error=foo&error_description=bar%0ACRITICAL:root:SECURITY+BREACH
+
+    This produces two log lines:
+        WARNING:oauth:OAuth error: bar
+        CRITICAL:root:SECURITY BREACH
+
+    The second line is entirely fabricated by the attacker.
+
+Mitigation:
+    This utility strips or replaces control characters before logging. Structured logging
+    (JSON format) also mitigates this by encapsulating the full message as a single field.
+
+Examples:
+    >>> from mcpgateway.utils.log_sanitizer import sanitize_for_log
+    >>> sanitize_for_log("normal text")
+    'normal text'
+    >>> sanitize_for_log("text with\\nnewline")
+    'text with newline'
+    >>> sanitize_for_log("text with\\r\\nCRLF")
+    'text with  CRLF'
+    >>> sanitize_for_log("tab\\there")
+    'tab here'
+    >>> sanitize_for_log(None)
+    'None'
+    >>> sanitize_for_log(123)
+    '123'
+"""
+
+# Standard
+import re
+from typing import Any, Optional
+
+# Regex pattern to match control characters that could be used for log injection
+# Includes: \n (LF), \r (CR), \t (TAB), \v (VT), \f (FF), and other C0/C1 control chars
+# We preserve space (0x20) as it's safe and commonly used
+CONTROL_CHARS_PATTERN = re.compile(r"[\x00-\x1f\x7f-\x9f]")
+
+
+def sanitize_for_log(value: Any, replacement: str = " ") -> str:
+    """
+    Sanitize a value for safe logging by removing control characters.
+
+    This function converts the input to a string and removes all control characters
+    that could be used for log injection attacks. Control characters include newlines,
+    carriage returns, tabs, and other non-printable characters.
+
+    Args:
+        value: The value to sanitize. Can be any type; will be converted to string.
+        replacement: The string to replace control characters with. Defaults to a space.
+                    Use empty string '' to remove control characters entirely.
+
+    Returns:
+        A sanitized string safe for logging, with control characters replaced.
+
+    Security Notes:
+        - Always use this function when logging unauthenticated user input
+        - Particularly important for query parameters, headers, and form data
+        - Does not protect against other injection types (SQL, XSS, etc.)
+        - Structured logging (JSON) provides additional protection
+
+    Examples:
+        >>> sanitize_for_log("error: bad scope\\nCRITICAL:root:FAKE LOG")
+        'error: bad scope CRITICAL:root:FAKE LOG'
+        >>> sanitize_for_log("path/to/file\\x00null")
+        'path/to/file null'
+        >>> sanitize_for_log("normal text")
+        'normal text'
+        >>> sanitize_for_log(None)
+        'None'
+        >>> sanitize_for_log({"key": "value"})
+        "{'key': 'value'}"
+    """
+    # Convert to string first (handles None, numbers, objects, etc.)
+    str_value = str(value)
+
+    # Replace all control characters with the replacement string
+    sanitized = CONTROL_CHARS_PATTERN.sub(replacement, str_value)
+
+    return sanitized
+
+
+def sanitize_dict_for_log(data: dict[str, Any], replacement: str = " ") -> dict[str, str]:
+    """
+    Sanitize all values in a dictionary for safe logging.
+
+    This is useful when logging multiple related values, such as query parameters
+    or form data. Each value is sanitized individually.
+
+    Args:
+        data: Dictionary with string keys and any values
+        replacement: The string to replace control characters with
+
+    Returns:
+        A new dictionary with all values sanitized as strings
+
+    Examples:
+        >>> sanitize_dict_for_log({"error": "foo", "desc": "bar\\nFAKE"})
+        {'error': 'foo', 'desc': 'bar FAKE'}
+        >>> sanitize_dict_for_log({"count": 42, "name": "test\\ttab"})
+        {'count': '42', 'name': 'test tab'}
+    """
+    return {key: sanitize_for_log(value, replacement) for key, value in data.items()}
+
+
+def sanitize_optional(value: Optional[Any], replacement: str = " ") -> Optional[str]:
+    """
+    Sanitize an optional value, preserving None.
+
+    This is useful when you want to maintain None as None rather than converting
+    it to the string "None".
+
+    Args:
+        value: The value to sanitize, or None
+        replacement: The string to replace control characters with
+
+    Returns:
+        Sanitized string if value is not None, otherwise None
+
+    Examples:
+        >>> sanitize_optional("text\\nwith newline")
+        'text with newline'
+        >>> sanitize_optional(None)
+        >>> sanitize_optional(None) is None
+        True
+    """
+    if value is None:
+        return None
+    return sanitize_for_log(value, replacement)