From 86e1fd03494efad67161e3cb6e9e0d97b53f3341 Mon Sep 17 00:00:00 2001 From: GoodVaibhs <99231451+GoodVaibhs@users.noreply.github.com> Date: Fri, 19 Jun 2026 20:29:26 -0700 Subject: [PATCH 1/3] fix: redirect anonymous commenters to login instead of crashing The comment POST handler in post() read session["username"] directly without checking it was set. Any unauthenticated POST to /post/ with a comment field (and no delete button fields) raised an unhandled KeyError / 500 instead of failing gracefully. Add the same not-logged-in guard already used for the post-delete and comment-delete paths in this codebase, redirecting to the login page with a return path, consistent with the &-delimited redirect convention used elsewhere (see login.py, edit_post.py). --- app/routes/post.py | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/app/routes/post.py b/app/routes/post.py index 4230780ff..fb4ba9860 100755 --- a/app/routes/post.py +++ b/app/routes/post.py @@ -50,6 +50,13 @@ def post(url_id=None, slug=None): delete_comment(request.form["comment_id"]) return redirect(url_for("post.post", url_id=url_id)), 301 + if "username" not in session: + Log.error( + f"{request.remote_addr} tried to comment on post: " + f'"{url_id}" without logging in', + ) + return redirect(f"/login/redirect=&post&{url_id}") + comment_text = escape(request.form["comment"]) new_comment = Comment( From a7c6fad02454cd1a0f9627a275cbaae1201578b6 Mon Sep 17 00:00:00 2001 From: GoodVaibhs <99231451+GoodVaibhs@users.noreply.github.com> Date: Fri, 19 Jun 2026 20:50:57 -0700 Subject: [PATCH 2/3] fix: sanitize request-derived values before logging (CWE-117) The not-logged-in-comment log line interpolated request.remote_addr and url_id directly into the message. Both are attacker-influenced (client IP / URL path segment), so an attacker could inject CR/LF characters and forge fake log lines. Add a small sanitize_for_log() helper that strips CR/LF before the values are written to the log, and use it for both fields. Addresses a CodeRabbit review comment on this PR. --- app/routes/post.py | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/app/routes/post.py b/app/routes/post.py index fb4ba9860..b2b62c48c 100755 --- a/app/routes/post.py +++ b/app/routes/post.py @@ -18,6 +18,7 @@ from utils.forms.comment_form import CommentForm from utils.generate_url_id_from_post import get_slug_from_post_title from utils.log import Log +from utils.sanitize_for_log import sanitize_for_log from utils.time import current_time_stamp post_blueprint = Blueprint("post", __name__) @@ -51,9 +52,11 @@ def post(url_id=None, slug=None): return redirect(url_for("post.post", url_id=url_id)), 301 if "username" not in session: + safe_remote_addr = sanitize_for_log(request.remote_addr) + safe_url_id = sanitize_for_log(url_id) Log.error( - f"{request.remote_addr} tried to comment on post: " - f'"{url_id}" without logging in', + f"{safe_remote_addr} tried to comment on post: " + f'"{safe_url_id}" without logging in', ) return redirect(f"/login/redirect=&post&{url_id}") From 75a866a6d085dfa9f12ac405265e031007d64066 Mon Sep 17 00:00:00 2001 From: GoodVaibhs <99231451+GoodVaibhs@users.noreply.github.com> Date: Fri, 19 Jun 2026 20:51:38 -0700 Subject: [PATCH 3/3] Add sanitize_for_log helper New helper used by post.py to strip CR/LF from request-derived values before they're written to the log (CWE-117). See the previous commit on this branch for the call sites. --- app/utils/sanitize_for_log.py | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 app/utils/sanitize_for_log.py diff --git a/app/utils/sanitize_for_log.py b/app/utils/sanitize_for_log.py new file mode 100644 index 000000000..dc5a7316e --- /dev/null +++ b/app/utils/sanitize_for_log.py @@ -0,0 +1,15 @@ +""" +This module contains the function to sanitize untrusted values before they are +written to log output. +""" + + +def sanitize_for_log(value): + """Strip CR/LF characters from a value before it is interpolated into a log message. + + Request-derived values (client IPs, URL segments, etc.) are attacker + controlled. Logging them unsanitized lets an attacker inject carriage + return / line feed characters and forge fake log lines (CWE-117). + """ + + return str(value).replace("\r", "").replace("\n", "")