From cc7b4be405b5733ceea89690fefc217e860913e5 Mon Sep 17 00:00:00 2001 From: Korolev Dmitry Date: Thu, 20 Nov 2025 19:59:06 +0100 Subject: [PATCH 1/3] sanitize redirectUrl for logs --- .../src/Microsoft.Agents.AI.DevUI/DevUIMiddleware.cs | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/dotnet/src/Microsoft.Agents.AI.DevUI/DevUIMiddleware.cs b/dotnet/src/Microsoft.Agents.AI.DevUI/DevUIMiddleware.cs index fc6dd512ec..ffb1629d4f 100644 --- a/dotnet/src/Microsoft.Agents.AI.DevUI/DevUIMiddleware.cs +++ b/dotnet/src/Microsoft.Agents.AI.DevUI/DevUIMiddleware.cs @@ -4,6 +4,7 @@ using System.IO.Compression; using System.Reflection; using System.Security.Cryptography; +using System.Text.RegularExpressions; using Microsoft.AspNetCore.StaticFiles; using Microsoft.Extensions.Primitives; using Microsoft.Net.Http.Headers; @@ -13,8 +14,11 @@ namespace Microsoft.Agents.AI.DevUI; /// /// Handler that serves embedded DevUI resource files from the 'resources' directory. /// -internal sealed class DevUIMiddleware +internal sealed partial class DevUIMiddleware { + [GeneratedRegex(@"[\r\n]+")] + private static partial Regex NewlineRegex(); + private const string GZipEncodingValue = "gzip"; private static readonly StringValues s_gzipEncodingHeader = new(GZipEncodingValue); private static readonly Assembly s_assembly = typeof(DevUIMiddleware).Assembly; @@ -78,7 +82,9 @@ public async Task HandleRequestAsync(HttpContext context) context.Response.StatusCode = StatusCodes.Status301MovedPermanently; context.Response.Headers.Location = redirectUrl; - this._logger.LogDebug("Redirecting {OriginalPath} to {RedirectUrl}", path, redirectUrl); + + var sanitizedRedirectUrl = NewlineRegex().Replace(redirectUrl, ""); + this._logger.LogDebug("Redirecting {OriginalPath} to {RedirectUrl}", path, sanitizedRedirectUrl); return; } From 4145dd6f589462ed5c6318d82042faef0fb8b4c2 Mon Sep 17 00:00:00 2001 From: Korolev Dmitry Date: Thu, 20 Nov 2025 20:03:43 +0100 Subject: [PATCH 2/3] use basepath --- dotnet/src/Microsoft.Agents.AI.DevUI/DevUIMiddleware.cs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dotnet/src/Microsoft.Agents.AI.DevUI/DevUIMiddleware.cs b/dotnet/src/Microsoft.Agents.AI.DevUI/DevUIMiddleware.cs index ffb1629d4f..11295b68cd 100644 --- a/dotnet/src/Microsoft.Agents.AI.DevUI/DevUIMiddleware.cs +++ b/dotnet/src/Microsoft.Agents.AI.DevUI/DevUIMiddleware.cs @@ -74,7 +74,7 @@ public async Task HandleRequestAsync(HttpContext context) // This ensures relative URLs in the HTML work correctly if (string.Equals(path, this._basePath, StringComparison.OrdinalIgnoreCase) && !path.EndsWith('/')) { - var redirectUrl = $"{path}/"; + var redirectUrl = this._basePath + "/"; if (context.Request.QueryString.HasValue) { redirectUrl += context.Request.QueryString.Value; From 1da8bd48096a66d53990084beb1e3d6c841d136a Mon Sep 17 00:00:00 2001 From: Korolev Dmitry Date: Thu, 20 Nov 2025 20:09:34 +0100 Subject: [PATCH 3/3] sanitize both path and reddirect url --- dotnet/src/Microsoft.Agents.AI.DevUI/DevUIMiddleware.cs | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/dotnet/src/Microsoft.Agents.AI.DevUI/DevUIMiddleware.cs b/dotnet/src/Microsoft.Agents.AI.DevUI/DevUIMiddleware.cs index 11295b68cd..a2b210ca4d 100644 --- a/dotnet/src/Microsoft.Agents.AI.DevUI/DevUIMiddleware.cs +++ b/dotnet/src/Microsoft.Agents.AI.DevUI/DevUIMiddleware.cs @@ -83,8 +83,7 @@ public async Task HandleRequestAsync(HttpContext context) context.Response.StatusCode = StatusCodes.Status301MovedPermanently; context.Response.Headers.Location = redirectUrl; - var sanitizedRedirectUrl = NewlineRegex().Replace(redirectUrl, ""); - this._logger.LogDebug("Redirecting {OriginalPath} to {RedirectUrl}", path, sanitizedRedirectUrl); + this._logger.LogDebug("Redirecting {OriginalPath} to {RedirectUrl}", NewlineRegex().Replace(path, ""), NewlineRegex().Replace(redirectUrl, "")); return; }