Adds code for an interactive journalizing app

[ajosh0504]

No description provided.

[semgrep-code-mongodb]

Semgrep identified an issue in your code:
Detected a logger that logs user input without properly neutralizing the output. The log message could contain characters like and and cause an attacker to forge log entries or include malicious content into the logs. Use proper input validation and/or output encoding to prevent log entries from being forged.

Dataflow graph

flowchart LR
    classDef invis fill:white, stroke: none
    classDef default fill:#e7f5ff, color:#1c7fd6, stroke: none

    subgraph File0["<b>apps/interactive-journal/backend/app/routers/routes.py</b>"]
        direction LR
        %% Source

        subgraph Source
            direction LR

            v0["<a href=https://github.com/mongodb-developer/GenAI-Showcase/blob/4499ef5b6f301c8d397af73649f61daaf348e9a3/apps/interactive-journal/backend/app/routers/routes.py#L99 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 99] version</a>"]
        end
        %% Intermediate

        subgraph Traces0[Traces]
            direction TB

            v2["<a href=https://github.com/mongodb-developer/GenAI-Showcase/blob/4499ef5b6f301c8d397af73649f61daaf348e9a3/apps/interactive-journal/backend/app/routers/routes.py#L99 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 99] version</a>"]
        end
        %% Sink

        subgraph Sink
            direction LR

            v1["<a href=https://github.com/mongodb-developer/GenAI-Showcase/blob/4499ef5b6f301c8d397af73649f61daaf348e9a3/apps/interactive-journal/backend/app/routers/routes.py#L102 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 102] f&quot;Searching entries with query: {q[:50]}... (version={version})&quot;</a>"]
        end
    end
    %% Class Assignment
    Source:::invis
    Sink:::invis

    Traces0:::invis
    File0:::invis

    %% Connections

    Source --> Traces0
    Traces0 --> Sink

Loading

To resolve this comment:

✨ Commit Assistant fix suggestion

Suggested change

	logger.info(f"Searching entries with query: {q[:50]}... (version={version})")
	# Sanitize user input to prevent log injection
	clean_q = q.replace('\n', ' ').replace('\r', ' ')[:50]
	logger.info(f"Searching entries with query: {clean_q}... (version={version})")

View step-by-step instructions

1. Avoid logging user-provided search queries directly using f-strings, as this may include malicious content in your logs.
2. If you need to record user input for debugging, log a masked or length-limited version, and always use structured logging with separate fields. For example, use logger.info("Searching entries", extra={"query": q[:50], "version": version}).
3. Alternatively, if you must include the value in the log message, sanitize the input by replacing newlines and special characters. For example: clean_q = q.replace('\n', ' ').replace('\r', ' ')[:50] then log: logger.info(f"Searching entries with query: {clean_q}... (version={version})").
4. Make sure to never log the full query if it may contain sensitive or user-controlled data to minimize risk of log injection.

Structured logging lets log processors or SIEM tools better handle and filter potentially unsafe or multiline user data.

💬 Ignore this finding

Reply with Semgrep commands to ignore this finding.

• /fp <comment> for false positive
• /ar <comment> for acceptable risk
• /other <comment> for all other reasons

Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by tainted-log-injection-stdlib-fastapi.

🛟 Help? Slack #semgrep-help or go/semgrep-help.

Resolution Options:

• Fix the code
• Reply /fp $reason (if security gap doesn’t exist)
• Reply /ar $reason (if gap is valid but intentional; add mitigations/monitoring)
• Reply /other $reason (e.g., test-only)

_{You can view more details about this finding in the Semgrep AppSec Platform.}