Sanitize user-provided webhook fields before logging to prevent log forging

Nick Campanini · Nick Campanini · commit 927b353b5acf · 2026-03-15T22:41:14.000-04:00
diff --git a/src/SEBT.Portal.UseCases/IdProofing/ProcessWebhook/ProcessWebhookCommandHandler.cs b/src/SEBT.Portal.UseCases/IdProofing/ProcessWebhook/ProcessWebhookCommandHandler.cs
@@ -26,6 +26,9 @@ public class ProcessWebhookCommandHandler(
     ILogger<ProcessWebhookCommandHandler> logger)
     : ICommandHandler<ProcessWebhookCommand>
 {
+    private static string SanitizeForLogging(string? value) =>
+        value?.Replace("\r", string.Empty).Replace("\n", string.Empty) ?? string.Empty;
+
     public async Task<Result> Handle(
         ProcessWebhookCommand command,
         CancellationToken cancellationToken = default)
@@ -54,7 +57,7 @@ public async Task<Result> Handle(
             // contract with Socure has changed and all webhooks are being silently dropped.
             logger.LogError(
                 "Webhook received but no challenge found for ReferenceId={ReferenceId}, EvalId={EvalId}",
-                command.ReferenceId, command.EvalId);
+                SanitizeForLogging(command.ReferenceId), SanitizeForLogging(command.EvalId));
             // Return success to prevent Socure retries — challenge may have been cleaned up
             return Result.Success();
         }
@@ -64,7 +67,7 @@ public async Task<Result> Handle(
         {
             logger.LogInformation(
                 "Webhook event {EventId} already processed for challenge {ChallengeId}",
-                command.EventId, challenge.PublicId);
+                SanitizeForLogging(command.EventId), challenge.PublicId);
             return Result.Success();
         }
 
@@ -73,7 +76,7 @@ public async Task<Result> Handle(
         {
             logger.LogWarning(
                 "Webhook event {EventId} arrived for terminal challenge {ChallengeId} (status: {Status})",
-                command.EventId, challenge.PublicId, challenge.Status);
+                SanitizeForLogging(command.EventId), challenge.PublicId, challenge.Status);
             return Result.Success();
         }
 
@@ -82,7 +85,7 @@ public async Task<Result> Handle(
         {
             logger.LogInformation(
                 "Webhook event {EventId}: intermediate decision {Decision}, challenge {ChallengeId} stays Pending",
-                command.EventId, command.DocumentDecision, challenge.PublicId);
+                SanitizeForLogging(command.EventId), SanitizeForLogging(command.DocumentDecision), challenge.PublicId);
             return Result.Success();
         }
 
@@ -91,7 +94,7 @@ public async Task<Result> Handle(
         {
             logger.LogWarning(
                 "Webhook event {EventId} has unrecognized document decision: {Decision}",
-                command.EventId, command.DocumentDecision);
+                SanitizeForLogging(command.EventId), SanitizeForLogging(command.DocumentDecision));
             return Result.Success();
         }
 
@@ -124,13 +127,13 @@ public async Task<Result> Handle(
             logger.LogInformation(
                 "Webhook event {EventId}: concurrency conflict on challenge {ChallengeId}, " +
                 "another thread already processed it",
-                command.EventId, challenge.PublicId);
+                SanitizeForLogging(command.EventId), challenge.PublicId);
             return Result.Success();
         }
 
         logger.LogInformation(
             "Webhook event {EventId}: challenge {ChallengeId} transitioned to {Status}",
-            command.EventId, challenge.PublicId, newStatus);
+            SanitizeForLogging(command.EventId), challenge.PublicId, newStatus);
 
         // If verified: update user's proofing status and IAL level
         if (newStatus == DocVerificationStatus.Verified)

Original file line number	Diff line number	Diff line change
`@@ -26,6 +26,9 @@ public class ProcessWebhookCommandHandler(`
`26`	`26`	`ILogger<ProcessWebhookCommandHandler> logger)`
`27`	`27`	`: ICommandHandler<ProcessWebhookCommand>`
`28`	`28`	`{`
	`29`	`+ private static string SanitizeForLogging(string? value) =>`
	`30`	`+ value?.Replace("\r", string.Empty).Replace("\n", string.Empty) ?? string.Empty;`
	`31`	`+`
`29`	`32`	`public async Task<Result> Handle(`
`30`	`33`	`ProcessWebhookCommand command,`
`31`	`34`	`CancellationToken cancellationToken = default)`
`@@ -54,7 +57,7 @@ public async Task<Result> Handle(`
`54`	`57`	`// contract with Socure has changed and all webhooks are being silently dropped.`
`55`	`58`	`logger.LogError(`
`56`	`59`	`"Webhook received but no challenge found for ReferenceId={ReferenceId}, EvalId={EvalId}",`
`57`		`- command.ReferenceId, command.EvalId);`
	`60`	`+ SanitizeForLogging(command.ReferenceId), SanitizeForLogging(command.EvalId));`
`58`	`61`	`// Return success to prevent Socure retries — challenge may have been cleaned up`
`59`	`62`	`return Result.Success();`
`60`	`63`	`}`
`@@ -64,7 +67,7 @@ public async Task<Result> Handle(`
`64`	`67`	`{`
`65`	`68`	`logger.LogInformation(`
`66`	`69`	`"Webhook event {EventId} already processed for challenge {ChallengeId}",`
`67`		`- command.EventId, challenge.PublicId);`
	`70`	`+ SanitizeForLogging(command.EventId), challenge.PublicId);`
`68`	`71`	`return Result.Success();`
`69`	`72`	`}`
`70`	`73`
`@@ -73,7 +76,7 @@ public async Task<Result> Handle(`
`73`	`76`	`{`
`74`	`77`	`logger.LogWarning(`
`75`	`78`	`"Webhook event {EventId} arrived for terminal challenge {ChallengeId} (status: {Status})",`
`76`		`- command.EventId, challenge.PublicId, challenge.Status);`
	`79`	`+ SanitizeForLogging(command.EventId), challenge.PublicId, challenge.Status);`
`77`	`80`	`return Result.Success();`
`78`	`81`	`}`
`79`	`82`
`@@ -82,7 +85,7 @@ public async Task<Result> Handle(`
`82`	`85`	`{`
`83`	`86`	`logger.LogInformation(`
`84`	`87`	`"Webhook event {EventId}: intermediate decision {Decision}, challenge {ChallengeId} stays Pending",`
`85`		`- command.EventId, command.DocumentDecision, challenge.PublicId);`
	`88`	`+ SanitizeForLogging(command.EventId), SanitizeForLogging(command.DocumentDecision), challenge.PublicId);`
`86`	`89`	`return Result.Success();`
`87`	`90`	`}`
`88`	`91`
`@@ -91,7 +94,7 @@ public async Task<Result> Handle(`
`91`	`94`	`{`
`92`	`95`	`logger.LogWarning(`
`93`	`96`	`"Webhook event {EventId} has unrecognized document decision: {Decision}",`
`94`		`- command.EventId, command.DocumentDecision);`
	`97`	`+ SanitizeForLogging(command.EventId), SanitizeForLogging(command.DocumentDecision));`
`95`	`98`	`return Result.Success();`
`96`	`99`	`}`
`97`	`100`
`@@ -124,13 +127,13 @@ public async Task<Result> Handle(`
`124`	`127`	`logger.LogInformation(`
`125`	`128`	`"Webhook event {EventId}: concurrency conflict on challenge {ChallengeId}, " +`
`126`	`129`	`"another thread already processed it",`
`127`		`- command.EventId, challenge.PublicId);`
	`130`	`+ SanitizeForLogging(command.EventId), challenge.PublicId);`
`128`	`131`	`return Result.Success();`
`129`	`132`	`}`
`130`	`133`
`131`	`134`	`logger.LogInformation(`
`132`	`135`	`"Webhook event {EventId}: challenge {ChallengeId} transitioned to {Status}",`
`133`		`- command.EventId, challenge.PublicId, newStatus);`
	`136`	`+ SanitizeForLogging(command.EventId), challenge.PublicId, newStatus);`
`134`	`137`
`135`	`138`	`// If verified: update user's proofing status and IAL level`
`136`	`139`	`if (newStatus == DocVerificationStatus.Verified)`