From 222dd6bba3e689a4b3ded7a8bb715b89f4517121 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Fri, 20 Mar 2026 10:27:18 -0700
Subject: [PATCH] Santize inserts

---
 server/routers/badger/logRequestAudit.ts | 45 +++++++++++++++++-------
 1 file changed, 32 insertions(+), 13 deletions(-)

diff --git a/server/routers/badger/logRequestAudit.ts b/server/routers/badger/logRequestAudit.ts
index 1e36bd4d5..4dd5bff99 100644
--- a/server/routers/badger/logRequestAudit.ts
+++ b/server/routers/badger/logRequestAudit.ts
@@ -5,6 +5,26 @@ import cache from "#dynamic/lib/cache";
 import { calculateCutoffTimestamp } from "@server/lib/cleanupLogs";
 import { stripPortFromHost } from "@server/lib/ip";
 
+/**
+ * Sanitize a string field by replacing lone UTF-16 surrogates (which cannot
+ * be encoded as valid UTF-8) with the Unicode replacement character, and
+ * stripping ASCII control characters that are invalid in most text columns.
+ */
+function sanitizeString(value: string | undefined | null): string | undefined {
+    if (value == null) return undefined;
+    return (
+        value
+            // Replace lone high surrogates (not followed by a low surrogate)
+            // and lone low surrogates (not preceded by a high surrogate)
+            .replace(
+                /[\uD800-\uDBFF](?![\uDC00-\uDFFF])|(?<![\uD800-\uDBFF])[\uDC00-\uDFFF]/g,
+                "\uFFFD"
+            )
+            // Strip C0 control characters except HT (\x09), LF (\x0A), CR (\x0D)
+            .replace(/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]/g, "")
+    );
+}
+
 /**
 
 Reasons:
@@ -253,24 +273,23 @@ export async function logRequestAudit(
         // Add to buffer instead of writing directly to DB
         auditLogBuffer.push({
             timestamp,
-            orgId: data.orgId,
-            actorType,
-            actor,
-            actorId,
-            metadata,
+            orgId: sanitizeString(data.orgId),
+            actorType: sanitizeString(actorType),
+            actor: sanitizeString(actor),
+            actorId: sanitizeString(actorId),
+            metadata: sanitizeString(metadata),
             action: data.action,
             resourceId: data.resourceId,
             reason: data.reason,
-            location: data.location,
-            originalRequestURL: body.originalRequestURL,
-            scheme: body.scheme,
-            host: body.host,
-            path: body.path,
-            method: body.method,
-            ip: clientIp,
+            location: sanitizeString(data.location),
+            originalRequestURL: sanitizeString(body.originalRequestURL) ?? "",
+            scheme: sanitizeString(body.scheme) ?? "",
+            host: sanitizeString(body.host) ?? "",
+            path: sanitizeString(body.path) ?? "",
+            method: sanitizeString(body.method) ?? "",
+            ip: sanitizeString(clientIp),
             tls: body.tls
         });
-
         // Flush immediately if buffer is full, otherwise schedule a flush
         if (auditLogBuffer.length >= BATCH_SIZE) {
             // Fire and forget - don't block the caller