Skip to content

fix: CEF-escape Action and Details to prevent log injection (PILOT-263)#17

Open
matthew-pilot wants to merge 2 commits into
mainfrom
openclaw/pilot-263-20260530-003137
Open

fix: CEF-escape Action and Details to prevent log injection (PILOT-263)#17
matthew-pilot wants to merge 2 commits into
mainfrom
openclaw/pilot-263-20260530-003137

Conversation

@matthew-pilot
Copy link
Copy Markdown
Collaborator

@matthew-pilot matthew-pilot commented May 30, 2026

What

User-controlled Action and Details strings in audit/audit_export.go were interpolated directly into CEF output without escaping. An attacker could inject | and = characters to forge extension fields or corrupt CEF header parsing consumed by SIEM parsers.

Fix

Add a cefEscape() helper that escapes \\, =, |, \r, \n per the CEF escaping convention, and apply it to:

  • Action before the CEF header and cs1= extension
  • Details before the msg= extension

Verification

go build ./...     ✓
go vet ./...       ✓
go test ./...      ✓ (all 17 packages)

Two new regression tests (TestFormatCEFEscapesInjectionCharactersInAction, TestFormatCEFEscapesInjectionCharactersInDetails) demonstrate the vulnerability and confirm the fix.

Scope

Metric Value
Files 2 (audit_export.go, zz_audit_test.go)
LoC +57 / -3 
git diff --stat HEAD~1
 audit/audit_export.go  | 19 ++++++++++++++++---
 audit/zz_audit_test.go | 41 +++++++++++++++++++++++++++++++++++++++++
 2 files changed, 57 insertions(+), 3 deletions(-)

Closes PILOT-263

@matthew-pilot
test(audit): add CEF injection escaping regression tests (PILOT-263)
689309a 
Two failing tests that demonstrate the vulnerability:
- Action containing pipe characters corrupts CEF header parsing,
  injecting fake extension fields (cn2, src, act).
- Details containing pipe and newline characters corrupt
  msg extension and create fake CEF lines.
@matthew-pilot
fix(audit): CEF-escape Action and Details to prevent log injection (P…
3b7ecd5 
…ILOT-263)

User-controlled Action and Details strings were interpolated
directly into CEF output without escaping. An attacker could
inject | and = characters to forge extension fields or fake
CEF headers consumed by SIEM parsers.

Add cefEscape() helper that escapes \, =, |, \r, \n per
the CEF escaping convention, and apply it to Action before
both the header and extensions, and to Details before the
msg extension.

Closes PILOT-263
@matthew-pilot matthew-pilot added the matthew-fix-larger Medium-scope autonomous fix (≤10 files, ≤200 LoC) label May 30, 2026
@codecov
Copy link
Copy Markdown

codecov Bot commented May 30, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

@matthew-pilot
Copy link
Copy Markdown
Collaborator Author

matthew-pilot commented May 30, 2026

🦾 Matthew PR Status — #17

Title: fix: CEF-escape Action and Details to prevent log injection (PILOT-263)
Status: OPEN | Mergeable: MERGEABLE
Author: @matthew-pilot (matthew-pilot bot)
Created: 2026-05-30T00:33:13Z
Branch: openclaw/pilot-263-20260530-003137main
Changes: +57/-3 across 2 files

Tickets

🔗 PILOT-263

Labels

matthew-fix-larger

Files Changed

  • audit/audit_export.go (+16)
  • audit/zz_audit_test.go (+41)

Next Actions

  • Explain: /pr explain #17 — detailed analysis
  • Canary retry: /pr retry-canary #17 (if CI failed)
  • Fix & update: /pr fix #17 <instructions>
  • Rebase: /pr rebase #17
  • Close: /pr close #17 <reason>

🦾 Auto-generated status check by matthew-pr-worker

@matthew-pilot
Copy link
Copy Markdown
Collaborator Author

matthew-pilot commented May 30, 2026

🦾 Matthew PR Explain — #17

What this PR does

fix: CEF-escape Action and Details to prevent log injection (PILOT-263)

Scope

  • Files: 2 files
  • Delta: +57/-3 lines
  • Labels: matthew-fix-larger
  • Mergeable: MERGEABLE

Tickets

🔗 PILOT-263

Files

  • audit/audit_export.go (+16/-3)
  • audit/zz_audit_test.go (+41/-0)

Review Notes

  • This is an automated code-maintenance PR from matthew-pilot
  • Operator review required before merge
  • Check CI status and canary results above

🦾 Auto-generated explain by matthew-pr-worker

@matthew-pilot
Copy link
Copy Markdown
Collaborator Author

matthew-pilot commented Jun 1, 2026

📊 PR Status — #17 PILOT-263

State: OPEN · MERGEABLE · Not draft
Branch: openclaw/pilot-263-20260530-003137main
CI: ✅ All checks passing (test, codecov/patch)
Canary: ❌ Failed (label: canary-failed) — canary run has not yet passed
Labels: matthew-fix-larger, canary-failed
Last activity: 2026-05-31 05:27 UTC (labels updated)
Jira: PILOT-263 — status unavailable (Jira not reachable this tick)

⏭ Next: canary needs to pass before merge. No reviews yet.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

canary-failed matthew-fix-larger Medium-scope autonomous fix (≤10 files, ≤200 LoC)

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@matthew-pilot