Prevent CRLF injection in SLF4J :: Recipe Details

Recipe Name:

Prevent CRLF injection in SLF4J

Description:

Encode untrustated data to prevent the log files from CRLF injections

Level:

marked_information

Language:

java

Tags:

security
SLF4J
framework specific
logging
injection

Recipe

id: scw:logging:slf4j-crlf-injection
version: 10
metadata:
  name: Prevent CRLF injection in SLF4J
  shortDescription: Encode untrustated data to prevent the log files from CRLF injections
  level: marked_information
  language: java
  scwCategory: insufficient_logging:generic
  cweCategory: 117
  enabled: true
  tags: security;SLF4J;framework specific;logging;injection
search:
  methodcall:
    args:
      1:
        type: java.lang.String
      2:
        type: java.lang.String
        value:
          containsUntrustedInput: true
          not:
            is:
              methodcall:
                name: encode
                type: java.net.URLEncoder
    name:
      matches: (trace|debug|info|warn|error)
    declaration:
      type: org.slf4j.Logger
availableFixes:
- name: Encode untrustated data to prevent the log files from CRLF injections
  actions:
  - rewrite:
      to: '{{{expressionElement}}}({{{ arguments.0 }}}, java.net.URLEncoder.encode({{{ arguments.1 }}}, java.nio.charset.StandardCharsets.UTF_8))'