Description
In src/Servy.Core/Logging/Logger.cs (line 290) and throughout the codebase, user-controlled strings (service names, file paths, error messages) are interpolated into log entries without newline sanitization:
$"[{DateTime.Now:yyyy-MM-dd HH:mm:ss}] [{level.ToString().ToUpper()}] {message}"Data flow: Service name (from user input/database) → Logger.Info/Warn/Error → log file
A service name containing newline characters can inject fake log entries:
MyService\n[2026-04-08 12:00:00] [INFO] Service started successfully
This appears as two separate, legitimate-looking log entries in the log file.
Severity
Info — primarily a forensics/audit concern. Logs are local text files not used for security decisions, but forged log entries could mislead incident investigation.
Suggested fix
Strip or escape newline characters in the Logger before writing:
message = message?.Replace("\r", "\r").Replace("\n", "\n");
Description
In
src/Servy.Core/Logging/Logger.cs(line 290) and throughout the codebase, user-controlled strings (service names, file paths, error messages) are interpolated into log entries without newline sanitization:$"[{DateTime.Now:yyyy-MM-dd HH:mm:ss}] [{level.ToString().ToUpper()}] {message}"Data flow: Service name (from user input/database) → Logger.Info/Warn/Error → log file
A service name containing newline characters can inject fake log entries:
This appears as two separate, legitimate-looking log entries in the log file.
Severity
Info — primarily a forensics/audit concern. Logs are local text files not used for security decisions, but forged log entries could mislead incident investigation.
Suggested fix
Strip or escape newline characters in the Logger before writing: