fix: Fix Code Scanning Alerts (#241)

* fix: Fix Code Scanning Alerts

Author: pm7y

src/AzureEventGridSimulator.Tests/UnitTests/Middleware/SasKeyValidatorAegSasTokenTests.cs

@@ -112,4 +112,134 @@ public void GivenTokenWithInvalidExpirationFormat_WhenValidated_ThenReturnsFalse
 
         result.ShouldBeFalse();
     }
+
+    [Fact]
+    public void GivenTokenWithSignatureContainingNewline_WhenValidated_ThenSanitizesNewlineInLog()
+    {
+        // Create a token with an invalid signature containing a newline character
+        const string maliciousSignature = "fake\nsignature";
+        var token =
+            $"r=http%3A%2F%2Flocalhost&e={DateTimeOffset.UtcNow.AddMinutes(5).ToUnixTimeSeconds()}&s={maliciousSignature}";
+        var headers = new HeaderDictionary { { Constants.AegSasTokenHeader, token } };
+
+        Validator.IsValid(headers, ValidTopicKey);
+
+        // Verify that the logger was called with the sanitized signature (\\n instead of \n)
+        Logger
+            .Received()
+            .Log(
+                LogLevel.Warning,
+                Arg.Any<EventId>(),
+                Arg.Is<object>(o =>
+                    (o.ToString() ?? "").Contains("fake\\nsignature")
+                    && !(o.ToString() ?? "").Contains("fake\nsignature")
+                ),
+                Arg.Any<Exception?>(),
+                Arg.Any<Func<object, Exception?, string>>()
+            );
+    }
+
+    [Fact]
+    public void GivenTokenWithSignatureContainingCarriageReturn_WhenValidated_ThenSanitizesCarriageReturnInLog()
+    {
+        // Create a token with an invalid signature containing a carriage return character
+        const string maliciousSignature = "fake\rsignature";
+        var token =
+            $"r=http%3A%2F%2Flocalhost&e={DateTimeOffset.UtcNow.AddMinutes(5).ToUnixTimeSeconds()}&s={maliciousSignature}";
+        var headers = new HeaderDictionary { { Constants.AegSasTokenHeader, token } };
+
+        Validator.IsValid(headers, ValidTopicKey);
+
+        // Verify that the logger was called with the sanitized signature (\\r instead of \r)
+        Logger
+            .Received()
+            .Log(
+                LogLevel.Warning,
+                Arg.Any<EventId>(),
+                Arg.Is<object>(o =>
+                    (o.ToString() ?? "").Contains("fake\\rsignature")
+                    && !(o.ToString() ?? "").Contains("fake\rsignature")
+                ),
+                Arg.Any<Exception?>(),
+                Arg.Any<Func<object, Exception?, string>>()
+            );
+    }
+
+    [Fact]
+    public void GivenTokenWithSignatureContainingTab_WhenValidated_ThenSanitizesTabInLog()
+    {
+        // Create a token with an invalid signature containing a tab character
+        const string maliciousSignature = "fake\tsignature";
+        var token =
+            $"r=http%3A%2F%2Flocalhost&e={DateTimeOffset.UtcNow.AddMinutes(5).ToUnixTimeSeconds()}&s={maliciousSignature}";
+        var headers = new HeaderDictionary { { Constants.AegSasTokenHeader, token } };
+
+        Validator.IsValid(headers, ValidTopicKey);
+
+        // Verify that the logger was called with the sanitized signature (\\t instead of \t)
+        Logger
+            .Received()
+            .Log(
+                LogLevel.Warning,
+                Arg.Any<EventId>(),
+                Arg.Is<object>(o =>
+                    (o.ToString() ?? "").Contains("fake\\tsignature")
+                    && !(o.ToString() ?? "").Contains("fake\tsignature")
+                ),
+                Arg.Any<Exception?>(),
+                Arg.Any<Func<object, Exception?, string>>()
+            );
+    }
+
+    [Fact]
+    public void GivenTokenWithSignatureContainingMultipleControlCharacters_WhenValidated_ThenSanitizesAllControlCharactersInLog()
+    {
+        // Create a token with an invalid signature containing multiple control characters
+        const string maliciousSignature = "fake\n\r\t\0signature";
+        var token =
+            $"r=http%3A%2F%2Flocalhost&e={DateTimeOffset.UtcNow.AddMinutes(5).ToUnixTimeSeconds()}&s={maliciousSignature}";
+        var headers = new HeaderDictionary { { Constants.AegSasTokenHeader, token } };
+
+        Validator.IsValid(headers, ValidTopicKey);
+
+        // Verify that all control characters are sanitized
+        Logger
+            .Received()
+            .Log(
+                LogLevel.Warning,
+                Arg.Any<EventId>(),
+                Arg.Is<object>(o =>
+                    (o.ToString() ?? "").Contains("fake\\n\\r\\t\\0signature")
+                    && !(o.ToString() ?? "").Contains("fake\n\r\t\0signature")
+                ),
+                Arg.Any<Exception?>(),
+                Arg.Any<Func<object, Exception?, string>>()
+            );
+    }
+
+    [Fact]
+    public void GivenTokenWithSignatureContainingDelCharacter_WhenValidated_ThenSanitizesDelInLog()
+    {
+        // Create a token with an invalid signature containing the DEL character (ASCII 127)
+        var maliciousSignature = $"fake{(char)127}signature";
+        var token =
+            $"r=http%3A%2F%2Flocalhost&e={DateTimeOffset.UtcNow.AddMinutes(5).ToUnixTimeSeconds()}&s={maliciousSignature}";
+        var headers = new HeaderDictionary { { Constants.AegSasTokenHeader, token } };
+
+        Validator.IsValid(headers, ValidTopicKey);
+
+        // Verify that the DEL character is sanitized as \x7F
+        Logger
+            .Received()
+            .Log(
+                LogLevel.Warning,
+                Arg.Any<EventId>(),
+                Arg.Is<object>(o =>
+                    (o.ToString() ?? "").Contains("fake\\x7Fsignature")
+                    && !(o.ToString() ?? "").Contains($"fake{(char)127}signature")
+                ),
+                Arg.Any<Exception?>(),
+                Arg.Any<Func<object, Exception?, string>>()
+            );
+    }
 }

src/AzureEventGridSimulator/Domain/Services/Dashboard/EventHistoryStore.cs

@@ -156,22 +156,26 @@ public DashboardStats GetStats(int topicsActive)
         var totalPending = 0;
 
         foreach (var record in records)
-        foreach (var delivery in record.GetDeliveries())
-            switch (delivery.Status)
+        {
+            foreach (var delivery in record.GetDeliveries())
             {
-                case DeliveryStatus.Delivered:
-                    totalDelivered++;
-                    break;
-                case DeliveryStatus.Failed:
-                case DeliveryStatus.DeadLettered:
-                    totalFailed++;
-                    break;
-                case DeliveryStatus.Pending:
-                case DeliveryStatus.InProgress:
-                case DeliveryStatus.Retrying:
-                    totalPending++;
-                    break;
+                switch (delivery.Status)
+                {
+                    case DeliveryStatus.Delivered:
+                        totalDelivered++;
+                        break;
+                    case DeliveryStatus.Failed:
+                    case DeliveryStatus.DeadLettered:
+                        totalFailed++;
+                        break;
+                    case DeliveryStatus.Pending:
+                    case DeliveryStatus.InProgress:
+                    case DeliveryStatus.Retrying:
+                        totalPending++;
+                        break;
+                }
             }
+        }
 
         return new DashboardStats(
             _totalEventsReceived,

src/AzureEventGridSimulator/Infrastructure/Middleware/EventGridMiddleware.cs

@@ -95,8 +95,6 @@ private async Task HandleNotificationRequest(
         ILogger logger
     )
     {
-        var contentType = context.Request.Headers.ContentType.FirstOrDefault();
-
         // 1. Validate the SAS key/token if configured
         if (!string.IsNullOrWhiteSpace(topic.Key))
         {
@@ -152,6 +150,7 @@ await context.WriteErrorResponse(
                 : validationResult2.ErrorMessage + context.GenerateReportSuffix();
 
             // Record the rejection in event history
+            var contentType = context.Request.Headers.ContentType.FirstOrDefault();
             RecordRejection(
                 eventHistoryService,
                 topic.Name,

src/AzureEventGridSimulator/Infrastructure/Middleware/SasKeyValidator.cs

@@ -206,10 +206,12 @@ private SasValidationResult ValidateToken(string token, string key)
             if (string.Equals(signature, computedSignature, StringComparison.Ordinal))
                 return new SasValidationResult(true);
 
+            // Sanitize signature to prevent log forging by escaping all control characters
+            var sanitizedSignature = SanitizeForLogging(signature);
             logger.LogWarning(
                 "SAS token signature mismatch. Expected: {Expected}, Got: {Actual}",
                 computedSignature,
-                signature
+                sanitizedSignature
             );
 
             return new SasValidationResult(false, SasValidationFailureReason.SignatureMismatch);
@@ -219,4 +221,43 @@ private SasValidationResult ValidateToken(string token, string key)
             return new SasValidationResult(false, SasValidationFailureReason.InvalidBase64);
         }
     }
+
+    /// <summary>
+    ///     Sanitizes a string for logging by escaping all control characters (code points &lt; 32 and DEL at 127)
+    ///     to prevent log forging attacks.
+    /// </summary>
+    /// <param name="input">The string to sanitize</param>
+    /// <returns>A sanitized string with control characters escaped</returns>
+    private static string SanitizeForLogging(string input)
+    {
+        // Use input.Length * 2 capacity to reduce reallocations when control characters expand
+        // (e.g., '\n' becomes "\\n" which is 2 characters instead of 1)
+        var sb = new StringBuilder(input.Length * 2);
+        foreach (var c in input)
+        {
+            if (c < 32 || c == 127) // Control characters: code points < 32 and DEL (127)
+            {
+                sb.Append(
+                    c switch
+                    {
+                        '\n' => "\\n",
+                        '\r' => "\\r",
+                        '\t' => "\\t",
+                        '\f' => "\\f",
+                        '\b' => "\\b",
+                        '\0' => "\\0",
+                        '\a' => "\\a",
+                        '\v' => "\\v",
+                        (char)127 => "\\x7F", // DEL character
+                        _ => $"\\x{((int)c):X2}" // Escape other control chars as hex
+                    }
+                );
+            }
+            else
+            {
+                sb.Append(c);
+            }
+        }
+        return sb.ToString();
+    }
 }