/testcase-detail/task-log has no authentication — unauthenticated log access with log filter injection

[Ryujiyasu]

Summary

The /testcase-detail/task-log endpoint in ClusterFuzz (src/appengine/handlers/testcase_detail/show.py, lines 637–653) has no authentication check, allowing any unauthenticated request to read Cloud Logging task execution logs with log filter injection.

Vulnerable Code

The handler accepts task_id, task_name, and testcase_id parameters and passes them directly to testcase_status_events.get_task_log(). Inside _get_task_log_query_filter() (testcase_status_events.py, lines 222–228), these values are string-interpolated without escaping into a Cloud Logging filter:

f'jsonPayload.extras.task_id="{task_id}" AND ...'

Impact

1. Unauthenticated log access: Any unauthenticated request can read task execution logs for any testcase containing crash details, bot names, memory addresses, and file paths
2. Log filter injection: Supplying task_id=x" OR "1"="1 bypasses the per-testcase constraint and returns logs from all testcases across all projects, enabling bulk exfiltration of pre-disclosure vulnerability information

Suggested Fix

1. Add authentication decorator to the /testcase-detail/task-log endpoint
2. Parameterize or escape task_id, task_name, and testcase_id values in the Cloud Logging filter string