SLF4J Logging: enforce usage of placeholders in the messages :: Recipe Details

Recipe Name:

SLF4J Logging: enforce usage of placeholders in the messages

Description:

Do not concatenate untrusted data in the message string, instead use placeholders ( '{}' )

Level:

marked_information

Language:

java

Tags:

security
logging
injection
OWASP Top 10
SLF4J
framework specific

Documentation

Untrusted inputs in logging should not be concatenated directly into log messages.

Placeholders should be used to include untrusted data into log messaged in order to prevent altering the structure of the log messages, similar to parameterized queries for SQL.

References

Recipe

id: scw:java:logging:slf4j-log-injection
version: 10
metadata:
  name: 'SLF4J Logging: enforce usage of placeholders in the messages'
  shortDescription: Do not concatenate untrusted data in the message string, instead use placeholders ( '{}' )
  level: marked_information
  language: java
  scwCategory: injection:generic
  cweCategory: 117
  enabled: true
  descriptionFile: Java/Logging/descriptions/Enforce_placeholders_logging_messages.html
  tags: security;logging;injection;OWASP Top 10;SLF4J;framework specific
search:
  methodcall:
    args:
      1:
        type: java.lang.String
        value:
          containsUntrustedInput: true
    anyOf:
    - name: trace
    - name: debug
    - name: info
    - name: warn
    - name: error
    declaration:
      type: org.slf4j.Logger
availableFixes:
- name: Use placeholder to insert untrusted data
  actions:
  - parameterize:
      placeholderFormat: '{}'
      extractUntrustedInput:
        array:
          type: java.lang.String[]
          atArgumentPosition: 2