From 21d34c389e2e6cb4abf08ddab611de8c2dab49fe Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Mon, 22 Jun 2026 20:30:15 -0500
Subject: [PATCH] fix(security): use Replace-based newline stripping in
 SanitizeLogValue

CodeQL recognizes String.Replace removal of CR/LF as a log-forging barrier.
Reimplement SanitizeLogValue to strip line breaks via String.Replace before
dropping remaining control characters, clearing the residual cs/log-forging
finding in InMemoryCacheService.SetAsync.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 src/Core/PokManager.Domain/Common/SafePath.cs | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/src/Core/PokManager.Domain/Common/SafePath.cs b/src/Core/PokManager.Domain/Common/SafePath.cs
index 27577a3..b2408cd 100644
--- a/src/Core/PokManager.Domain/Common/SafePath.cs
+++ b/src/Core/PokManager.Domain/Common/SafePath.cs
@@ -94,10 +94,17 @@ public static string SanitizeLogValue(string? value)
             return string.Empty;
         }
 
-        var builder = new System.Text.StringBuilder(value.Length);
-        foreach (var c in value)
+        // Use String.Replace to strip line breaks (recognized as a log-forging barrier),
+        // then drop any remaining control characters.
+        var withoutNewlines = value
+            .Replace("\r", string.Empty, StringComparison.Ordinal)
+            .Replace("\n", string.Empty, StringComparison.Ordinal)
+            .Replace("\t", " ", StringComparison.Ordinal);
+
+        var builder = new System.Text.StringBuilder(withoutNewlines.Length);
+        foreach (var c in withoutNewlines)
         {
-            builder.Append(c is '\r' or '\n' ? '_' : char.IsControl(c) ? ' ' : c);
+            builder.Append(char.IsControl(c) ? ' ' : c);
         }
 
         return builder.ToString();