Recipe Name:
SLF4J Logging: enforce usage of placeholders in the messages
Description:
Do not concatenate untrusted data in the message string, instead use placeholders ( '{}' )
Level:
marked_information
Language:
  • java
Tags:
  • security
  • logging
  • injection
  • OWASP Top 10
  • SLF4J
  • framework specific
Documentation

Untrusted inputs in logging should not be concatenated directly into log messages.

Placeholders should be used to include untrusted data into log messaged in order to prevent altering the structure of the log messages, similar to parameterized queries for SQL.

References
Recipe
id: scw:java:logging:slf4j-log-injection
version: 10
metadata:
  name: 'SLF4J Logging: enforce usage of placeholders in the messages'
  shortDescription: Do not concatenate untrusted data in the message string, instead use placeholders ( '{}' )
  level: marked_information
  language: java
  scwCategory: injection:generic
  cweCategory: 117
  enabled: true
  descriptionFile: Java/Logging/descriptions/Enforce_placeholders_logging_messages.html
  tags: security;logging;injection;OWASP Top 10;SLF4J;framework specific
search:
  methodcall:
    args:
      1:
        type: java.lang.String
        value:
          containsUntrustedInput: true
    anyOf:
    - name: trace
    - name: debug
    - name: info
    - name: warn
    - name: error
    declaration:
      type: org.slf4j.Logger
availableFixes:
- name: Use placeholder to insert untrusted data
  actions:
  - parameterize:
      placeholderFormat: '{}'
      extractUntrustedInput:
        array:
          type: java.lang.String[]
          atArgumentPosition: 2