Skip to content

fix(cli): detect URL-encoded attacks and stop leaking Invalid Date in log-parser#42

Merged
ralyodio merged 1 commit into
profullstack:masterfrom
AliaksandrNazaruk:fix/log-parser-detection-and-timestamps
Jul 2, 2026
Merged

fix(cli): detect URL-encoded attacks and stop leaking Invalid Date in log-parser#42
ralyodio merged 1 commit into
profullstack:masterfrom
AliaksandrNazaruk:fix/log-parser-detection-and-timestamps

Conversation

@AliaksandrNazaruk

Copy link
Copy Markdown
Contributor

Problem

Two correctness bugs in apps/cli/src/core/log-parser.ts (see #41):

  1. Encoded-attack evasion. detectAttackPattern runs plaintext signatures against the nginx request path, which is stored URL-encoded (parseNginxLogpath: match[4]). So %3Cscript%3E, %27%20OR%201=1, %2e%2e%2f… are never flagged — a silent false negative in a security product.
  2. Invalid Date leak. parseNginxTimestamp/parseSyslogTimestamp rely on try/catch around new Date(), but new Date(<bad>) returns an Invalid Date rather than throwing, so the fallback is dead code and Invalid Date propagates into time-window logic. parseSyslogTimestamp also hard-codes the current year (December-log-in-January is misdated a year into the future).

Fix

  1. detectAttackPattern: test the raw path and its URL-decoded forms (single + double encoding), guarding malformed % with a try/catch around decodeURIComponent.
  2. Timestamps: check Number.isNaN(d.getTime()) explicitly and fall back to now; for syslog, choose the most recent non-future year.

Verification

The CLI package has no test runner, so I verified the logic with a standalone script: plaintext SQLi still detected; URL-encoded SQLi/XSS/path-traversal now detected (including double-encoded); benign path → null; malformed % doesn't throw; valid and garbage timestamps both yield a valid Date (never Invalid). Type-safe (passes tsc --noEmit).

Note: scanning user_agent for payloads is a small follow-up in monitor.ts (the caller) and is out of scope for this parser-only PR.

Fixes #41.

… log-parser

Two correctness bugs in the log/attack parser (the actual product):

1. detectAttackPattern tested the raw nginx request path, which nginx logs
   URL-encoded. Plaintext signatures like '<script' or 'or 1=1' therefore
   never matched an encoded payload ('%3Cscript%3E', '%27%20OR%201=1') — a
   silent false negative in a security product. Now test the raw value and
   its URL-decoded forms (single + double encoding), guarding malformed '%'
   sequences.

2. parseNginxTimestamp/parseSyslogTimestamp wrapped new Date() in try/catch
   with a new Date() fallback, but new Date(<bad>) returns an Invalid Date
   instead of throwing, so the catch never fired and Invalid Date leaked into
   downstream time-window logic. Check getTime() explicitly. Also fix the
   syslog year assumption so a December log parsed in January is dated to the
   previous year rather than a full year in the future.

Logic verified standalone (encoded SQLi/XSS/traversal detected, benign path
still null, malformed input safe, timestamps never Invalid).
@ralyodio ralyodio merged commit 634c6cb into profullstack:master Jul 2, 2026
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

log-parser: URL-encoded attacks evade detection; timestamp fallback is dead code (Invalid Date leaks)

2 participants