Recipe Name:
Untrusted input in logging
Description:
Prevent log injection by filtering untrusted input
Level:
info
Language:
- java
Tags:
- security
- OWASP Top 10
- framework specific
- logging
- Logger
- injection
Documentation
Untrusted inputs in logging should be filtered to prevent log injection.
When newline characters are allowed to be logged, this could lead to fake messages being inserted into the logs by an attacker.
References
Recipe
id: scw:logging:log-untrusted-input
version: 10
metadata:
name: Untrusted input in logging
shortDescription: Prevent log injection by filtering untrusted input
level: info
language: java
scwCategory: injection:generic
cweCategory: 117
enabled: true
comment: ""
descriptionFile: Java/Logging/descriptions/Untrusted_input_in_logging.html
tags: security;OWASP Top 10;framework specific;logging;Logger;injection
search:
argument:
in:
methodcall:
name: log
type: java.util.logging.Logger
type: java.lang.String
value:
containsUntrustedInput: true
availableFixes:
- name: Filter newline characters
actions:
- rewrite:
to: ({{{ markedElement }}}).replaceAll("(\\r|\\n)","")