CodeQL Scan Exposes Nine Log Injection Vulnerabilities in NHL Scrabble Project: User Input Sanitization Gap Threatens Audit Trail Integrity

A static code analysis sweep has uncovered nine log injection vulnerabilities across a Python project called NHL Scrabble, raising concerns about the integrity of application logging systems. The findings, flagged by GitHub's CodeQL scanning tool under rule py/log-injection, carry an ERROR severity rating and affect three separate source modules handling core application functions.

The vulnerabilities stem from a single root cause: user-supplied values being written directly into log entries without sanitization. Affected code spans the web application layer, an NHL API client, and security-related protection logic. In total, nine separate alert IDs—#207 through #215—document instances where attacker-controlled input could be injected into log streams via newline characters, carriage returns, or other control sequences. Example vulnerable patterns include direct interpolation of player IDs, team abbreviations, and hostname values into logger calls. An attacker exploiting these flaws could potentially forge log entries, overwrite existing records with crafted multi-line entries, or inject deceptive data to obscure malicious activity.

The implications extend beyond the immediate NHL Scrabble application. Logging systems often form the backbone of security monitoring, intrusion detection, and forensic investigation. If an attacker can manipulate log contents through injection, the reliability of audit trails—used to detect breaches, reconstruct events, or satisfy compliance requirements—becomes compromised. The presence of these vulnerabilities in security-critical paths, including SSRF protection logic, signals that the sanitization gap may affect defensive mechanisms themselves. Source code review and patch deployment remain pending as of the filing date.