Skip to content

Fix log forging vulnerability in GetCorrelationVector#373

Merged
singhk97 merged 10 commits intonext/corefrom
next/fix-log-forging-correlation-vector
Mar 18, 2026
Merged

Fix log forging vulnerability in GetCorrelationVector#373
singhk97 merged 10 commits intonext/corefrom
next/fix-log-forging-correlation-vector

Conversation

@singhk97
Copy link
Copy Markdown
Collaborator

@singhk97 singhk97 commented Mar 16, 2026
edited
Loading

Summary

  • Sanitize MS-CV header value to prevent log forging attacks
  • Remove newline characters before logging
  • Add comprehensive unit tests

Context

Addresses CodeQL security warning: user-provided MS-CV header values were logged without sanitization, allowing
malicious users to inject fake log entries via newline characters.

🤖 Generated with Claude Code

singhk97 and others added 2 commits March 16, 2026 14:48
@singhk97 @claude
Fix log forging vulnerability in GetCorrelationVector
696bbf6 
Sanitize MS-CV header value by removing newline characters to prevent
malicious users from injecting fake log entries. Added comprehensive
unit tests to verify the sanitization logic.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@singhk97
Merge branch 'next/core' into next/fix-log-forging-correlation-vector
317ccbb
@singhk97 singhk97 requested a review from rido-min March 16, 2026 21:51
@singhk97 singhk97 added the CORE label Mar 16, 2026
singhk97 and others added 7 commits March 17, 2026 08:12
@singhk97
Trigger checks
06e48ef
@singhk97
Merge branch 'next/fix-log-forging-correlation-vector' of https://git…
4cfb833 
…hub.com/microsoft/teams.net into next/fix-log-forging-correlation-vector
@singhk97
update yml file
5720aee
@singhk97 @claude
Use Environment.NewLine for log forging prevention
8507801 
Updated the correlation vector sanitization to use Environment.NewLine
as recommended by CodeQL/OWASP. Updated corresponding unit tests to be
platform-agnostic by using Environment.NewLine instead of hardcoded
newline characters.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@singhk97
Merge branch 'next/core' into next/fix-log-forging-correlation-vector
f2fcd0f
@singhk97
Update HttpRequestExtensions.cs
7f14943
@singhk97 @claude
Return string.Empty for null or empty correlation vector
b42e1a6 
Changed GetCorrelationVector to consistently return string.Empty
instead of null when the correlation vector header is missing or empty.
Updated test to reflect this behavior change.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@singhk97 singhk97 merged commit e484021 into next/core Mar 18, 2026
6 checks passed
@singhk97 singhk97 deleted the next/fix-log-forging-correlation-vector branch March 18, 2026 15:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rido-min rido-min rido-min approved these changes

Assignees

No one assigned

Labels

CORE

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@singhk97 @rido-min