fix(cli): detect URL-encoded attacks and stop leaking Invalid Date in log-parser#42
Merged
ralyodio merged 1 commit intoJul 2, 2026
Conversation
… log-parser
Two correctness bugs in the log/attack parser (the actual product):
1. detectAttackPattern tested the raw nginx request path, which nginx logs
URL-encoded. Plaintext signatures like '<script' or 'or 1=1' therefore
never matched an encoded payload ('%3Cscript%3E', '%27%20OR%201=1') — a
silent false negative in a security product. Now test the raw value and
its URL-decoded forms (single + double encoding), guarding malformed '%'
sequences.
2. parseNginxTimestamp/parseSyslogTimestamp wrapped new Date() in try/catch
with a new Date() fallback, but new Date(<bad>) returns an Invalid Date
instead of throwing, so the catch never fired and Invalid Date leaked into
downstream time-window logic. Check getTime() explicitly. Also fix the
syslog year assumption so a December log parsed in January is dated to the
previous year rather than a full year in the future.
Logic verified standalone (encoded SQLi/XSS/traversal detected, benign path
still null, malformed input safe, timestamps never Invalid).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
Two correctness bugs in
apps/cli/src/core/log-parser.ts(see #41):detectAttackPatternruns plaintext signatures against the nginx request path, which is stored URL-encoded (parseNginxLog→path: match[4]). So%3Cscript%3E,%27%20OR%201=1,%2e%2e%2f…are never flagged — a silent false negative in a security product.parseNginxTimestamp/parseSyslogTimestamprely ontry/catcharoundnew Date(), butnew Date(<bad>)returns an Invalid Date rather than throwing, so the fallback is dead code and Invalid Date propagates into time-window logic.parseSyslogTimestampalso hard-codes the current year (December-log-in-January is misdated a year into the future).Fix
detectAttackPattern: test the raw path and its URL-decoded forms (single + double encoding), guarding malformed%with a try/catch arounddecodeURIComponent.Number.isNaN(d.getTime())explicitly and fall back to now; for syslog, choose the most recent non-future year.Verification
The CLI package has no test runner, so I verified the logic with a standalone script: plaintext SQLi still detected; URL-encoded SQLi/XSS/path-traversal now detected (including double-encoded); benign path →
null; malformed%doesn't throw; valid and garbage timestamps both yield a validDate(never Invalid). Type-safe (passestsc --noEmit).Note: scanning
user_agentfor payloads is a small follow-up inmonitor.ts(the caller) and is out of scope for this parser-only PR.Fixes #41.