From 56c50a6d48f7c34d491b3101565894d35cecc6b4 Mon Sep 17 00:00:00 2001
From: Test User <test@example.com>
Date: Wed, 20 May 2026 20:24:10 +0800
Subject: [PATCH] fix(security): remove raw session_id from security event logs

The INVALID_SESSION_ID_FORMAT log event was logging the raw
user-supplied session_id value in both the message and details
field. Since this input is already flagged as potentially malicious
(failing the format check), logging it verbatim could enable log
injection attacks where an attacker crafts a session_id containing
log-forging characters (e.g. newlines) to inject fake log entries.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 server/routes/sessions.py | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/server/routes/sessions.py b/server/routes/sessions.py
index 522fc1ec6..f8a5a7e00 100755
--- a/server/routes/sessions.py
+++ b/server/routes/sessions.py
@@ -21,8 +21,7 @@ async def download_session(session_id: str):
             logger = get_server_logger()
             logger.log_security_event(
                 "INVALID_SESSION_ID_FORMAT",
-                f"Invalid session_id format: {session_id}",
-                details={"received_session_id": session_id},
+                "Invalid session_id format rejected",
             )
             raise ValidationError(
                 "Invalid session_id: only letters, digits, underscores, and hyphens are allowed",