Skip to content

fix: CEF-escape Action and Details to prevent log injection (PILOT-263)#17

Open
matthew-pilot wants to merge 2 commits into
mainfrom
openclaw/pilot-263-20260530-003137
Open

fix: CEF-escape Action and Details to prevent log injection (PILOT-263)#17
matthew-pilot wants to merge 2 commits into
mainfrom
openclaw/pilot-263-20260530-003137

Conversation

@matthew-pilot
Copy link
Copy Markdown
Collaborator

@matthew-pilot matthew-pilot commented May 30, 2026

What

User-controlled Action and Details strings in audit/audit_export.go were interpolated directly into CEF output without escaping. An attacker could inject | and = characters to forge extension fields or corrupt CEF header parsing consumed by SIEM parsers.

Fix

Add a cefEscape() helper that escapes \\, =, |, \r, \n per the CEF escaping convention, and apply it to:

  • Action before the CEF header and cs1= extension
  • Details before the msg= extension

Verification

go build ./...     ✓
go vet ./...       ✓
go test ./...      ✓ (all 17 packages)

Two new regression tests (TestFormatCEFEscapesInjectionCharactersInAction, TestFormatCEFEscapesInjectionCharactersInDetails) demonstrate the vulnerability and confirm the fix.

Scope

Metric Value
Files 2 (audit_export.go, zz_audit_test.go)
LoC +57 / -3 
git diff --stat HEAD~1
 audit/audit_export.go  | 19 ++++++++++++++++---
 audit/zz_audit_test.go | 41 +++++++++++++++++++++++++++++++++++++++++
 2 files changed, 57 insertions(+), 3 deletions(-)

Closes PILOT-263

@matthew-pilot
test(audit): add CEF injection escaping regression tests (PILOT-263)
689309a 
Two failing tests that demonstrate the vulnerability:
- Action containing pipe characters corrupts CEF header parsing,
  injecting fake extension fields (cn2, src, act).
- Details containing pipe and newline characters corrupt
  msg extension and create fake CEF lines.
@matthew-pilot
fix(audit): CEF-escape Action and Details to prevent log injection (P…
3b7ecd5 
…ILOT-263)

User-controlled Action and Details strings were interpolated
directly into CEF output without escaping. An attacker could
inject | and = characters to forge extension fields or fake
CEF headers consumed by SIEM parsers.

Add cefEscape() helper that escapes \, =, |, \r, \n per
the CEF escaping convention, and apply it to Action before
both the header and extensions, and to Details before the
msg extension.

Closes PILOT-263
@matthew-pilot matthew-pilot added the matthew-fix-larger Medium-scope autonomous fix (≤10 files, ≤200 LoC) label May 30, 2026
@codecov
Copy link
Copy Markdown

codecov Bot commented May 30, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

@matthew-pilot
Copy link
Copy Markdown
Collaborator Author

matthew-pilot commented May 30, 2026

🦾 Matthew PR Status — #17

Title: fix: CEF-escape Action and Details to prevent log injection (PILOT-263)
Status: OPEN | Mergeable: MERGEABLE
Author: @matthew-pilot (matthew-pilot bot)
Created: 2026-05-30T00:33:13Z
Branch: openclaw/pilot-263-20260530-003137main
Changes: +57/-3 across 2 files

Tickets

🔗 PILOT-263

Labels

matthew-fix-larger

Files Changed

  • audit/audit_export.go (+16)
  • audit/zz_audit_test.go (+41)

Next Actions

  • Explain: /pr explain #17 — detailed analysis
  • Canary retry: /pr retry-canary #17 (if CI failed)
  • Fix & update: /pr fix #17 <instructions>
  • Rebase: /pr rebase #17
  • Close: /pr close #17 <reason>

🦾 Auto-generated status check by matthew-pr-worker

@matthew-pilot
Copy link
Copy Markdown
Collaborator Author

matthew-pilot commented May 30, 2026

🦾 Matthew PR Explain — #17

What this PR does

fix: CEF-escape Action and Details to prevent log injection (PILOT-263)

Scope

  • Files: 2 files
  • Delta: +57/-3 lines
  • Labels: matthew-fix-larger
  • Mergeable: MERGEABLE

Tickets

🔗 PILOT-263

Files

  • audit/audit_export.go (+16/-3)
  • audit/zz_audit_test.go (+41/-0)

Review Notes

  • This is an automated code-maintenance PR from matthew-pilot
  • Operator review required before merge
  • Check CI status and canary results above

🦾 Auto-generated explain by matthew-pr-worker

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

matthew-fix-larger Medium-scope autonomous fix (≤10 files, ≤200 LoC)

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@matthew-pilot