The code builds clean without any errors or warnings
The PR follows theContribution Guidelines
All unit tests pass, and I have added new tests where possible
Is this a breaking change? If yes, add "[BREAKING]" prefix to the title of the PR.

sanitize redirectUrl for logs

cc7b4be

CopilotAI review requested due to automatic review settings

November 20, 2025 18:59

DeagleGross self-assigned this

Nov 20, 2025

markwallace-microsoft added the .NET label

Nov 20, 2025

DeagleGross had a problem deploying to integration

November 20, 2025 19:00

— with

GitHub Actions Error

DeagleGross had a problem deploying to integration

November 20, 2025 19:00

— with

GitHub Actions Error

Copilotstarted reviewing on behalf ofDeagleGross

November 20, 2025 19:00

View session

Copilotfinished reviewing on behalf ofDeagleGross

November 20, 2025 19:01

use basepath

4145dd6

DeagleGross had a problem deploying to integration

November 20, 2025 19:04

— with

GitHub Actions Error

DeagleGross had a problem deploying to integration

November 20, 2025 19:04

— with

GitHub Actions Error

CopilotAI reviewed

Nov 20, 2025

View reviewed changes

Copy link

Contributor

CopilotAI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Pull Request Overview

This PR adds security hardening to prevent log injection attacks by sanitizing theredirectUrl before logging. When redirecting requests to include a trailing slash, the URL is now sanitized to remove newline characters that could be used to inject malicious content into logs.

Introduces aGeneratedRegex pattern to match and remove newline characters (\r\n)
Changes the class topartial to support the source-generated regex
Sanitizes theredirectUrl before logging to prevent log injection vulnerabilities

dotnet/src/Microsoft.Agents.AI.DevUI/DevUIMiddleware.cs OutdatedShow resolvedHide resolved

sanitize both path and reddirect url

1da8bd4

ReubenBond approved these changes

Nov 20, 2025

View reviewed changes

Copy link

Member

ReubenBond left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

I am not 100% sure on the right approach for sanitizing log lines. I think it's fine to just delete that log line, tbh. It's a false alarm anyway, becausepath ==_basePath which is a constant and cannot contain newlines.

DeagleGross temporarily deployed to integration

November 20, 2025 19:10

— with

GitHub Actions Inactive

DeagleGross temporarily deployed to integration

November 20, 2025 19:10

— with

GitHub Actions Inactive

Copy link

ContributorAuthor

DeagleGross commentedNov 20, 2025

I am not 100% sure on the right approach for sanitizing log lines. I think it's fine to just delete that log line, tbh. It's a false alarm anyway, becausepath ==_basePath which is a constant and cannot contain newlines.

I also consider this a false alarm, but I think DevUI should have more logs, not less, to improve dev experience and debugging. That's why decided to leave it.

Decided to do the simple regex for now - we can improve later once we find out best practice for sanitization