fix(security): remove raw session_id from security event logs

[hobostay]

Summary

• Remove the raw user-supplied session_id from the INVALID_SESSION_ID_FORMAT security log event
• The previous code logged the potentially malicious input verbatim in both the message and details field

Vulnerability Details

In server/routes/sessions.py (lines 21-26), when an invalid session_id is detected, the code logs:

logger.log_security_event(
    "INVALID_SESSION_ID_FORMAT",
    f"Invalid session_id format: {session_id}",
    details={"received_session_id": session_id},
)

Since this input already failed the format validation and is flagged as potentially malicious, logging it verbatim is risky:

1. Log injection: An attacker can craft a session_id containing newline characters or log-formatting sequences to inject fake log entries, obscuring real attacks
2. Information disclosure: The raw value is stored in structured log details, potentially exposing injection payloads to downstream log analysis systems

Fix

Replace with a static message that still records the event without echoing the raw input:

logger.log_security_event(
    "INVALID_SESSION_ID_FORMAT",
    "Invalid session_id format rejected",
)

Test plan

• Send a request with an invalid session_id and verify the security event is still logged
• Verify the log no longer contains the raw user-supplied value

🤖 Generated with Claude Code