From 77f904d35c92fa6343eee51125a41ed96d149ecf Mon Sep 17 00:00:00 2001
From: Vincent Koc <vincentkoc@ieee.org>
Date: Thu, 30 Apr 2026 00:49:38 -0700
Subject: [PATCH] fix(security): emit QQBot debug logs as sanitized lines

Emits QQBot debug logs as CRLF-neutralized lines to remediate CodeQL alert 231.
---
 extensions/qqbot/src/engine/utils/log.test.ts |  2 +-
 extensions/qqbot/src/engine/utils/log.ts      | 10 +++++-----
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/extensions/qqbot/src/engine/utils/log.test.ts b/extensions/qqbot/src/engine/utils/log.test.ts
index 74f82211344..b12f076eea5 100644
--- a/extensions/qqbot/src/engine/utils/log.test.ts
+++ b/extensions/qqbot/src/engine/utils/log.test.ts
@@ -23,6 +23,6 @@ describe("QQBot debug logging", () => {
 
     debugLog("prefix", "line one\nline two");
 
-    expect(logSpy).toHaveBeenCalledWith("prefix", "line one line two");
+    expect(logSpy).toHaveBeenCalledWith("prefix line one line two");
   });
 });
diff --git a/extensions/qqbot/src/engine/utils/log.ts b/extensions/qqbot/src/engine/utils/log.ts
index 3f0d7a5b417..751b9013d03 100644
--- a/extensions/qqbot/src/engine/utils/log.ts
+++ b/extensions/qqbot/src/engine/utils/log.ts
@@ -35,27 +35,27 @@ export function sanitizeDebugLogValue(value: unknown): string {
   return `${sanitized.slice(0, MAX_LOG_VALUE_CHARS)}...`;
 }
 
-function sanitizeDebugLogArgs(args: unknown[]): string[] {
-  return args.map(sanitizeDebugLogValue);
+function formatDebugLogArgs(args: unknown[]): string {
+  return args.map(sanitizeDebugLogValue).join(" ");
 }
 
 /** Debug-level log; only outputs when QQBOT_DEBUG is enabled. */
 export function debugLog(...args: unknown[]): void {
   if (isDebug()) {
-    console.log(...sanitizeDebugLogArgs(args));
+    console.log(formatDebugLogArgs(args).replace(/[\r\n]/g, " "));
   }
 }
 
 /** Debug-level warning; only outputs when QQBOT_DEBUG is enabled. */
 export function debugWarn(...args: unknown[]): void {
   if (isDebug()) {
-    console.warn(...sanitizeDebugLogArgs(args));
+    console.warn(formatDebugLogArgs(args).replace(/[\r\n]/g, " "));
   }
 }
 
 /** Debug-level error; only outputs when QQBOT_DEBUG is enabled. */
 export function debugError(...args: unknown[]): void {
   if (isDebug()) {
-    console.error(...sanitizeDebugLogArgs(args));
+    console.error(formatDebugLogArgs(args).replace(/[\r\n]/g, " "));
   }
 }