Gateway: sanitize WebSocket log headers (#15592)

src/gateway/server/ws-connection.ts

@@ -7,6 +7,7 @@ import type { GatewayRequestContext, GatewayRequestHandlers } from "../server-me
 import type { GatewayWsClient } from "./ws-types.js";
 import { resolveCanvasHostUrl } from "../../infra/canvas-host-url.js";
 import { listSystemPresence, upsertPresence } from "../../infra/system-presence.js";
+import { truncateUtf16Safe } from "../../utils.js";
 import { isWebchatClient } from "../../utils/message-channel.js";
 import { isLoopbackAddress } from "../net.js";
 import { getHandshakeTimeoutMs } from "../server-constants.js";
@@ -17,6 +18,28 @@ import { attachGatewayWsMessageHandler } from "./ws-connection/message-handler.j
 
 type SubsystemLogger = ReturnType<typeof createSubsystemLogger>;
 
+const LOG_HEADER_MAX_LEN = 300;
+const LOG_HEADER_CONTROL_REGEX = /[\u0000-\u001f\u007f-\u009f]/g;
+const LOG_HEADER_FORMAT_REGEX = /\p{Cf}/gu;
+
+const sanitizeLogValue = (value: string | undefined): string | undefined => {
+  if (!value) {
+    return undefined;
+  }
+  const cleaned = value
+    .replace(LOG_HEADER_CONTROL_REGEX, " ")
+    .replace(LOG_HEADER_FORMAT_REGEX, " ")
+    .replace(/\s+/g, " ")
+    .trim();
+  if (!cleaned) {
+    return undefined;
+  }
+  if (cleaned.length <= LOG_HEADER_MAX_LEN) {
+    return cleaned;
+  }
+  return truncateUtf16Safe(cleaned, LOG_HEADER_MAX_LEN);
+};
+
 export function attachGatewayWsConnectionHandler(params: {
   wss: WebSocketServer;
   clients: Set<GatewayWsClient>;
@@ -156,6 +179,11 @@ export function attachGatewayWsConnectionHandler(params: {
 
     socket.once("close", (code, reason) => {
       const durationMs = Date.now() - openedAt;
+      const logForwardedFor = sanitizeLogValue(forwardedFor);
+      const logOrigin = sanitizeLogValue(requestOrigin);
+      const logHost = sanitizeLogValue(requestHost);
+      const logUserAgent = sanitizeLogValue(requestUserAgent);
+      const logReason = sanitizeLogValue(reason?.toString());
       const closeContext = {
         cause: closeCause,
         handshake: handshakeState,
@@ -163,10 +191,10 @@ export function attachGatewayWsConnectionHandler(params: {
         lastFrameType,
         lastFrameMethod,
         lastFrameId,
-        host: requestHost,
-        origin: requestOrigin,
-        userAgent: requestUserAgent,
-        forwardedFor,
+        host: logHost,
+        origin: logOrigin,
+        userAgent: logUserAgent,
+        forwardedFor: logForwardedFor,
         ...closeMeta,
       };
       if (!client) {
@@ -174,13 +202,13 @@ export function attachGatewayWsConnectionHandler(params: {
           ? logWsControl.debug
           : logWsControl.warn;
         logFn(
-          `closed before connect conn=${connId} remote=${remoteAddr ?? "?"} fwd=${forwardedFor ?? "n/a"} origin=${requestOrigin ?? "n/a"} host=${requestHost ?? "n/a"} ua=${requestUserAgent ?? "n/a"} code=${code ?? "n/a"} reason=${reason?.toString() || "n/a"}`,
+          `closed before connect conn=${connId} remote=${remoteAddr ?? "?"} fwd=${logForwardedFor || "n/a"} origin=${logOrigin || "n/a"} host=${logHost || "n/a"} ua=${logUserAgent || "n/a"} code=${code ?? "n/a"} reason=${logReason || "n/a"}`,
           closeContext,
         );
       }
       if (client && isWebchatClient(client.connect.client)) {
         logWsControl.info(
-          `webchat disconnected code=${code} reason=${reason?.toString() || "n/a"} conn=${connId}`,
+          `webchat disconnected code=${code} reason=${logReason || "n/a"} conn=${connId}`,
         );
       }
       if (client?.presenceKey) {
@@ -208,7 +236,7 @@ export function attachGatewayWsConnectionHandler(params: {
       logWs("out", "close", {
         connId,
         code,
-        reason: reason?.toString(),
+        reason: logReason,
         durationMs,
         cause: closeCause,
         handshake: handshakeState,