Overview
The Google Calendar integration logs unsanitized user-supplied data ,This compromises the integrity of log files, making them unreliable for debugging, monitoring.
Affected Endpoint and Files
- File: ai-python/src/MCP/google/gcalendar/calendar_tools.py
- Function: create_event (logging attachment URLs and file IDs)
- Line(s): ~286–290
Evidence
for att in attachments:
match = re.search(r"(?:/d/|/file/d/|id=)([\w-]+)", att)
file_id = match.group(1) if match else None
logger.info(f"[create_event] Extracted file_id '{file_id}' from attachment URL '{att}'")
Steps to Reproduce
-
Supply a crafted attachment URL that includes newline/control characters:
att = "https://drive.google.com/open?id=12345\nINFO: user=admin logged in
-
When create_event runs, the log file will contain:
[create_event] Extracted file_id '12345' from attachment URL 'https://drive.google.com/open?id=12345
INFO: user=admin logged in'
- The INFO: user=admin logged in appears as a legitimate new log entry, misleading anyone reviewing the logs.
Expected Behavior
All user-supplied inputs should be sanitized or escaped before being logged. input must not alter the structure or semantics of log files.
Impact
Integrity risk: Attackers can pollute logs, making investigations and audits unreliable.
Operational risk: Security alerts, monitoring systems, and compliance reports relying on logs can be bypassed.
Severity: Medium – requires log access, but integrity of logs is critical in production systems.
Overview
The Google Calendar integration logs unsanitized user-supplied data ,This compromises the integrity of log files, making them unreliable for debugging, monitoring.
Affected Endpoint and Files
Evidence
Steps to Reproduce
Supply a crafted attachment URL that includes newline/control characters:
att = "https://drive.google.com/open?id=12345\nINFO: user=admin logged inWhen create_event runs, the log file will contain:
Expected Behavior
Impact