fmt: fix ANSI escape sequence injection vulnerability (#3368)

Fixes a security vulnerability where ANSI escape sequences in user input could be injected into terminal output, potentially allowing attackers to manipulate terminal behavior through log messages and error displays. The vulnerability occurred when user-controlled content was formatted using Display (`{}`) instead of Debug (`{:?}`) formatting, allowing raw ANSI sequences to pass through unescaped. Changes: - Add streaming ANSI escape wrapper to avoid string allocations - Escape message content in default and pretty formatters - Escape error Display content in all error formatting paths - Add comprehensive integration tests for all formatter types The fix specifically targets untrusted user input while preserving the ability for applications to deliberately include formatting in trusted contexts like thread names. Security impact: Prevents terminal injection attacks such as title bar manipulation, screen clearing, and other malicious terminal control sequences that could be injected through log messages.

Author: carllerche

tracing-subscriber/CHANGELOG.md

@@ -1,3 +1,11 @@
+# 0.3.20 (August 29, 2025)
+
+[ [crates.io][crate-0.3.20] ] | [ [docs.rs][docs-0.3.20] ]
+
+### Fixed
+
+- Escape ANSI escape sequences in logs
+
 # 0.3.19 (November 29, 2024)
 
 [ [crates.io][crate-0.3.19] ] | [ [docs.rs][docs-0.3.19] ]

tracing-subscriber/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "tracing-subscriber"
-version = "0.3.19"
+version = "0.3.20"
 authors = [
  "Eliza Weisman <eliza@buoyant.io>",
  "David Barsky <me@davidbarsky.com>",

tracing-subscriber/src/fmt/format/escape.rs

@@ -0,0 +1,51 @@
+//! ANSI escape sequence sanitization to prevent terminal injection attacks.
+
+use std::fmt::{self, Write};
+
+/// A wrapper that implements `fmt::Debug` and `fmt::Display` and escapes ANSI sequences on-the-fly.
+/// This avoids creating intermediate strings while providing security against terminal injection.
+pub(super) struct Escape<T>(pub(super) T);
+
+/// Helper struct that escapes ANSI sequences as characters are written
+struct EscapingWriter<'a, 'b> {
+ inner: &'a mut fmt::Formatter<'b>,
+}
+
+impl<'a, 'b> fmt::Write for EscapingWriter<'a, 'b> {
+ fn write_str(&mut self, s: &str) -> fmt::Result {
+ // Stream the string character by character, escaping ANSI and C1 control sequences
+ for ch in s.chars() {
+ match ch {
+ // C0 control characters that can be used in terminal escape sequences
+ '\x1b' => self.inner.write_str("\\x1b")?, // ESC
+ '\x07' => self.inner.write_str("\\x07")?, // BEL
+ '\x08' => self.inner.write_str("\\x08")?, // BS
+ '\x0c' => self.inner.write_str("\\x0c")?, // FF
+ '\x7f' => self.inner.write_str("\\x7f")?, // DEL
+ 
+ // C1 control characters (\x80-\x9f) - 8-bit control codes
+ // These can be used as alternative escape sequences in some terminals
+ ch if ch as u32 >= 0x80 && ch as u32 <= 0x9f => {
+ write!(self.inner, "\\u{{{:x}}}", ch as u32)?
+ },
+ 
+ _ => self.inner.write_char(ch)?,
+ }
+ }
+ Ok(())
+ }
+}
+
+impl<T: fmt::Debug> fmt::Debug for Escape<T> {
+ fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+ let mut escaping_writer = EscapingWriter { inner: f };
+ write!(escaping_writer, "{:?}", self.0)
+ }
+}
+
+impl<T: fmt::Display> fmt::Display for Escape<T> {
+ fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+ let mut escaping_writer = EscapingWriter { inner: f };
+ write!(escaping_writer, "{}", self.0)
+ }
+}

tracing-subscriber/src/fmt/format/mod.rs

@@ -48,6 +48,10 @@ use tracing_log::NormalizeEvent;
 #[cfg(feature = "ansi")]
 use nu_ansi_term::{Color, Style};
 
+
+mod escape;
+use escape::Escape;
+
 #[cfg(feature = "json")]
 mod json;
 #[cfg(feature = "json")]
@@ -1257,15 +1261,15 @@ impl field::Visit for DefaultVisitor<'_> {
  field,
  &format_args!(
  "{} {}{}{}{}",
- value,
+ Escape(&format_args!("{}", value)),
  italic.paint(field.name()),
  italic.paint(".sources"),
  self.writer.dimmed().paint("="),
  ErrorSourceList(source)
  ),
  )
  } else {
- self.record_debug(field, &format_args!("{}", value))
+ self.record_debug(field, &format_args!("{}", Escape(&format_args!("{}", value))))
  }
  }
 
@@ -1287,7 +1291,10 @@ impl field::Visit for DefaultVisitor<'_> {
  self.maybe_pad();
 
  self.result = match name {
- "message" => write!(self.writer, "{:?}", value),
+ "message" => {
+ // Escape ANSI characters to prevent malicious patterns (e.g., terminal injection attacks)
+ write!(self.writer, "{:?}", Escape(value))
+ },
  name if name.starts_with("r#") => write!(
  self.writer,
  "{}{}{:?}",
@@ -1326,7 +1333,7 @@ impl Display for ErrorSourceList<'_> {
  let mut list = f.debug_list();
  let mut curr = Some(self.0);
  while let Some(curr_err) = curr {
- list.entry(&format_args!("{}", curr_err));
+ list.entry(&Escape(&format_args!("{}", curr_err)));
  curr = curr_err.source();
  }
  list.finish()

tracing-subscriber/src/fmt/format/pretty.rs

@@ -457,15 +457,15 @@ impl field::Visit for PrettyVisitor<'_> {
  field,
  &format_args!(
  "{}, {}{}.sources{}: {}",
- value,
+ Escape(&format_args!("{}", value)),
  bold.prefix(),
  field,
  bold.infix(self.style),
  ErrorSourceList(source),
  ),
  )
  } else {
- self.record_debug(field, &format_args!("{}", value))
+ self.record_debug(field, &Escape(&format_args!("{}", value)))
  }
  }
 
@@ -475,7 +475,10 @@ impl field::Visit for PrettyVisitor<'_> {
  }
  let bold = self.bold();
  match field.name() {
- "message" => self.write_padded(&format_args!("{}{:?}", self.style.prefix(), value,)),
+ "message" => {
+ // Escape ANSI characters to prevent malicious patterns (e.g., terminal injection attacks)
+ self.write_padded(&format_args!("{}{:?}", self.style.prefix(), Escape(value)))
+ },
  // Skip fields that are actually log metadata that have already been handled
  #[cfg(feature = "tracing-log")]
  name if name.starts_with("log.") => self.result = Ok(()),