From 1190d218af1ce8fdb98fec6710f57b0c2f0c5d8d Mon Sep 17 00:00:00 2001
From: admin <admin@ardentleatherworks.com>
Date: Thu, 18 Dec 2025 20:17:42 -0600
Subject: [PATCH] Add log sanitization for CodeQL log forging alerts

---
 src/NzbDrone.Common/Disk/DiskProviderBase.cs       | 6 +++---
 src/NzbDrone.Common/EnsureThat/ExceptionFactory.cs | 5 +++--
 src/NzbDrone.Common/Http/HttpClient.cs             | 2 +-
 3 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/src/NzbDrone.Common/Disk/DiskProviderBase.cs b/src/NzbDrone.Common/Disk/DiskProviderBase.cs
index 0db6801fea..274a20691d 100644
--- a/src/NzbDrone.Common/Disk/DiskProviderBase.cs
+++ b/src/NzbDrone.Common/Disk/DiskProviderBase.cs
@@ -138,7 +138,7 @@ public bool FolderWritable(string path)
             }
             catch (Exception e)
             {
-                Logger.Trace("Directory '{0}' isn't writable. {1}", path, e.Message);
+                Logger.Trace("Directory '{0}' isn't writable. {1}", path.SanitizeForLog(), e.Message);
                 return false;
             }
         }
@@ -206,7 +206,7 @@ public long GetFileSize(string path)
             }
             catch (IOException ex)
             {
-                Logger.Trace(ex, "Unable to resolve symlink target for {0}", path);
+                Logger.Trace(ex, "Unable to resolve symlink target for {0}", path.SanitizeForLog());
             }
 
             return fi.Length;
@@ -534,7 +534,7 @@ public virtual IMount GetMount(string path)
             }
             catch (Exception ex)
             {
-                Logger.Debug(ex, $"Failed to get mount for path {path}");
+                Logger.Debug(ex, "Failed to get mount for path {0}", path.SanitizeForLog());
                 return null;
             }
         }
diff --git a/src/NzbDrone.Common/EnsureThat/ExceptionFactory.cs b/src/NzbDrone.Common/EnsureThat/ExceptionFactory.cs
index d3f24a43fa..c57b68a5c8 100644
--- a/src/NzbDrone.Common/EnsureThat/ExceptionFactory.cs
+++ b/src/NzbDrone.Common/EnsureThat/ExceptionFactory.cs
@@ -1,5 +1,6 @@
 using System;
 using NLog;
+using NzbDrone.Common.Extensions;
 
 namespace NzbDrone.Common.EnsureThat
 {
@@ -9,13 +10,13 @@ internal static class ExceptionFactory
 
         internal static ArgumentException CreateForParamValidation(string paramName, string message)
         {
-            Logger.Warn(message);
+            Logger.Warn(message.SanitizeForLog());
             return new ArgumentException(message, paramName);
         }
 
         internal static ArgumentNullException CreateForParamNullValidation(string paramName, string message)
         {
-            Logger.Warn(message);
+            Logger.Warn(message.SanitizeForLog());
             return new ArgumentNullException(paramName, message);
         }
     }
diff --git a/src/NzbDrone.Common/Http/HttpClient.cs b/src/NzbDrone.Common/Http/HttpClient.cs
index 56a1c5a433..667fe486de 100644
--- a/src/NzbDrone.Common/Http/HttpClient.cs
+++ b/src/NzbDrone.Common/Http/HttpClient.cs
@@ -274,7 +274,7 @@ public async Task DownloadFileAsync(string url, string fileName)
                     fileInfo.Directory.Create();
                 }
 
-                _logger.Debug("Downloading [{0}] to [{1}]", url, fileName);
+                _logger.Debug("Downloading [{0}] to [{1}]", url.SanitizeForLog(), fileName.SanitizeForLog());
 
                 var stopWatch = Stopwatch.StartNew();
                 await using (var fileStream = new FileStream(fileNamePart, FileMode.Create, FileAccess.ReadWrite))