From 8039ce5856ca8645746487aab2b54d89b15c7587 Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Wed, 10 Jun 2026 02:18:26 +0000 Subject: [PATCH] =?UTF-8?q?=F0=9F=9B=A1=EF=B8=8F=20Sentinel:=20[MEDIUM]=20?= =?UTF-8?q?Fix=20Log=20Injection=20in=20exception=20handler?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Replaces f-string exception logging `f"{e}"` with `f"{repr(str(e))}"` to prevent Log Injection (CRLF) vulnerabilities. While the `ipaddress` module natively escapes its exceptions, this broad exception handler could catch un-sanitized exceptions from future `raise` statements, allowing attackers to spoof log entries using embedded newlines. Co-authored-by: ManupaKDU <95234271+ManupaKDU@users.noreply.github.com> --- .jules/sentinel.md | 4 ++++ testping1.py | 4 +++- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/.jules/sentinel.md b/.jules/sentinel.md index 010d6a4..1106ff4 100644 --- a/.jules/sentinel.md +++ b/.jules/sentinel.md @@ -85,3 +85,7 @@ **Vulnerability:** Attackers could bypass SSRF IP blocklists using SIIT (Stateless IP/ICMP Translation, RFC 2765) addresses. The format `::ffff:0:a.b.c.d` (using the `::ffff:0:0:0/96` prefix) evaluates as `is_global = True` in Python's `ipaddress` module and is NOT caught by the `ipv4_mapped` property. If an attacker passes such an address, the OS networking stack might route it directly to the embedded IPv4 target, bypassing internal security restrictions. **Learning:** Python's `ipaddress` module only natively extracts standard IPv4-mapped addresses (`::ffff:a.b.c.d`), failing to recognize or unwrap SIIT IPv4-translated addresses. **Prevention:** Always manually unwrap SIIT addresses by checking if the high 96 bits of the IPv6 integer match the SIIT prefix (`ip_int >> 32 == 0xffff0000`). If so, extract the underlying 32-bit IPv4 address using bitwise operations (`ip_int & 0xFFFFFFFF`) and validate it against the SSRF blocklist. +## 2025-05-24 - Log Injection (CRLF) in Shared Exception Handlers +**Vulnerability:** A Log Injection (CRLF) vulnerability existed in a shared exception handler. While Python's `ipaddress` module natively escapes control characters in its `ValueError` exceptions using `!r` formatting, catching broad exceptions (e.g., `except (ValueError, TypeError, RecursionError):`) and logging the `e` object via f-string interpolation (`f"Error: {e}"`) is dangerous. If a future, unrelated `raise ValueError("malicious\ninput")` is added to the try block, the unescaped control characters would be evaluated by the logger, allowing log spoofing. +**Learning:** Shared, broad exception handlers that catch errors from multiple potential sources must assume that the exception payload is untrusted and un-sanitized. Relying on the safe formatting behavior of one specific underlying module (`ipaddress`) is insufficient defense-in-depth. +**Prevention:** Always sanitize exception messages caught in broad handlers before logging them by wrapping them in `repr(str(e))`. This ensures any embedded control characters (like `\n` or `\r`) are securely escaped, neutralizing log injection vectors. diff --git a/testping1.py b/testping1.py index fa70655..56c4c5a 100644 --- a/testping1.py +++ b/testping1.py @@ -275,7 +275,9 @@ def is_reachable(ip, timeout=1): raise ValueError(f"Scan range too large ({total_ips} IPs). Maximum 256 IPs allowed per scan.") except (ValueError, TypeError, RecursionError) as e: - logging.error(f"Invalid scan range configuration: {e}") + # 🛡️ Sentinel: Prevent Log Injection (CRLF) in shared exception handlers. + # While ipaddress exceptions may be safe, broad handlers might catch un-sanitized exceptions. + logging.error(f"Invalid scan range configuration: {repr(str(e))}") exit(1) # ⚡ Bolt: Optimize sequential IP address generation