From f22cac891c1322d204ab8e4a2d387d7b65430f2c Mon Sep 17 00:00:00 2001
From: Per Stark <per@stark.pub>
Date: Fri, 13 Feb 2026 12:06:18 +0100
Subject: [PATCH] fix: redact ingestion payload logs and update changelog

---
 CHANGELOG.md                                 |  2 ++
 api-router/src/routes/ingress.rs             | 16 +++++++++++++++-
 html-router/src/routes/ingestion/handlers.rs | 16 +++++++++++++++-
 3 files changed, 32 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 0de8473..e20cccb 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,6 +1,8 @@
 # Changelog
 ## Unreleased
 - Fix: edge case where navigation back to a chat page could trigger a new response generation
+- Security: hardened storage-layer queries by replacing user-influenced string interpolation with bound parameters and adding injection regression tests.
+- Security: removed raw ingestion payload logging from API/HTML ingress handlers and replaced it with metadata-only structured logs.
 
 ## 1.0.1 (2026-02-11)
 - Shipped an S3 storage backend so content can be stored in object storage instead of local disk, with configuration support for S3 deployments.
diff --git a/api-router/src/routes/ingress.rs b/api-router/src/routes/ingress.rs
index 9b72777..b203e73 100644
--- a/api-router/src/routes/ingress.rs
+++ b/api-router/src/routes/ingress.rs
@@ -29,8 +29,22 @@ pub async fn ingest_data(
     Extension(user): Extension<User>,
     TypedMultipart(input): TypedMultipart<IngestParams>,
 ) -> Result<impl IntoResponse, ApiError> {
-    info!("Received input: {:?}", input);
     let user_id = user.id;
+    let content_bytes = input.content.as_ref().map_or(0, |c| c.len());
+    let has_content = input.content.as_ref().is_some_and(|c| !c.trim().is_empty());
+    let context_bytes = input.context.len();
+    let category_bytes = input.category.len();
+    let file_count = input.files.len();
+
+    info!(
+        user_id = %user_id,
+        has_content,
+        content_bytes,
+        context_bytes,
+        category_bytes,
+        file_count,
+        "Received ingestion request"
+    );
 
     let file_infos = try_join_all(input.files.into_iter().map(|file| {
         FileInfo::new_with_storage(file, &state.db, &user_id, &state.storage)
diff --git a/html-router/src/routes/ingestion/handlers.rs b/html-router/src/routes/ingestion/handlers.rs
index ee611e1..76cc789 100644
--- a/html-router/src/routes/ingestion/handlers.rs
+++ b/html-router/src/routes/ingestion/handlers.rs
@@ -95,7 +95,21 @@ pub async fn process_ingress_form(
         ));
     }
 
-    info!("{:?}", input);
+    let content_bytes = input.content.as_ref().map_or(0, |c| c.len());
+    let has_content = input.content.as_ref().is_some_and(|c| !c.trim().is_empty());
+    let context_bytes = input.context.len();
+    let category_bytes = input.category.len();
+    let file_count = input.files.len();
+
+    info!(
+        user_id = %user.id,
+        has_content,
+        content_bytes,
+        context_bytes,
+        category_bytes,
+        file_count,
+        "Received ingestion form submission"
+    );
 
     let file_infos = try_join_all(input.files.into_iter().map(|file| {
         FileInfo::new_with_storage(file, &state.db, &user.id, &state.storage)