server: quote method in logs, fix CodeQL warnings

CWE-117:
  Log entries created from user input

  If unsanitized user input is written to a log entry, a malicious user may be able to forge new log entries.

pkg/rpc/server/server.go

@@ -14,6 +14,7 @@ import (
 	"net"
 	"net/http"
 	"strconv"
+	"strings"
 	"sync"
 	"time"
 
@@ -325,10 +326,12 @@ func (s *Server) handleHTTPRequest(w http.ResponseWriter, httpRequest *http.Requ
 
 func (s *Server) handleRequest(req *request.Request, sub *subscriber) response.AbstractResult {
 	if req.In != nil {
+		req.In.Method = escapeForLog(req.In.Method) // No valid method name will be changed by it.
 		return s.handleIn(req.In, sub)
 	}
 	resp := make(response.AbstractBatch, len(req.Batch))
 	for i, in := range req.Batch {
+		in.Method = escapeForLog(in.Method) // No valid method name will be changed by it.
 		resp[i] = s.handleIn(&in, sub)
 	}
 	return resp
@@ -349,7 +352,7 @@ func (s *Server) handleIn(req *request.In, sub *subscriber) response.Abstract {
 
 	incCounter(req.Method)
 
-	resErr = response.NewMethodNotFoundError(fmt.Sprintf("Method '%s' not supported", req.Method), nil)
+	resErr = response.NewMethodNotFoundError(fmt.Sprintf("Method %q not supported", req.Method), nil)
 	handler, ok := rpcHandlers[req.Method]
 	if ok {
 		res, resErr = handler(s, reqParams)
@@ -2190,3 +2193,12 @@ func validateAddress(addr interface{}) bool {
 	}
 	return false
 }
+
+func escapeForLog(in string) string {
+	return strings.Map(func(c rune) rune {
+		if !strconv.IsGraphic(c) {
+			return -1
+		}
+		return c
+	}, in)
+}

pkg/rpc/server/server_test.go

@@ -2569,6 +2569,11 @@ func checkNep17TransfersAux(t *testing.T, e *executor, acc interface{}, sent, rc
 	require.Equal(t, arr, res.Received)
 }
 
+func TestEscapeForLog(t *testing.T) {
+	in := "\n\tbad"
+	require.Equal(t, "bad", escapeForLog(in))
+}
+
 func BenchmarkHandleIn(b *testing.B) {
 	chain, orc, cfg, logger := getUnitTestChain(b, false, false)