Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Checkmarx Java fix for Log Forging -sanitizing user input

Can anyone suggest the proper sanitization/validation process required for the courseType variable in the following getCourses method. I am using that variable to write in a log file.

I've tried HtmlUtils.HtmlEscape() but didn't get expected results.

Thanks!

@RequestMapping(value = "/retriveCourses", method = RequestMethod.GET)
@ResponseBody
public List<Course> getCourses(@RequestParam(value = "courseType", required = false) String courseType) {

}
like image 721
NPS Avatar asked Mar 26 '19 19:03

NPS


2 Answers

it seems like the Checkmarx tool is correct in this case.

A "Log Forging" vulnerability means that an attacker could engineer logs of security-sensitive actions and lay a false audit trail, potentially implicating an innocent user or hiding an incident.

While using htmlEscape will escape some special characters:

  • &amplt; represents the < sign.
  • &ampgt; represents the > sign.
  • &ampamp; represents the & sign.
  • &ampquot; represents the " mark.

It will not escape or remove new-line/EOL/tab characters that must be avoided in order to keep logs integrity.

The best practice recommendations to avoid log forging are:

  1. Make sure to replace all relevant dangerous characters. example:

    cleanInput = input.replace('\t', '-').replace('\n', '-').replace('\r', '-');

  2. Validate all input, regardless of source. Validation should be based on a whitelist. Accept only data fitting a specified structure, rather than reject bad patterns. Check for: Data type, Size, Range, Format, Expected values.

Hopefully, that solves your problem.

like image 127
yaloner Avatar answered Oct 21 '22 17:10

yaloner


  1. Have a look at the Logging - OWASP Cheat Sheet Series in the section 'Event Collection'

  2. The best encoder still OWASP Java Encoder => Solve the 2. of @yaloner

  3. There is also a project at OWASP To help you to deal withs log injections OWASP Security Logging => Solve the 1. of @yaloner

Have a look at them will solve the issue

like image 5
SPoint Avatar answered Oct 21 '22 15:10

SPoint