Sensei Logo Sensei Hub

Recipe - Untrusted input in logging

Description:
Prevent log injection by filtering untrusted input
Level:
info
Language:
  • java
Tags:
  • security
  • OWASP Top 10
  • framework specific
  • logging
  • Logger
  • injection
Documentation

Untrusted inputs in logging should be filtered to prevent log injection.

When newline characters are allowed to be logged, this could lead to fake messages being inserted into the logs by an attacker.

References
Recipe
id: scw:logging:log-untrusted-input
version: 10
metadata:
  name: Untrusted input in logging
  shortDescription: Prevent log injection by filtering untrusted input
  level: info
  language: java
  scwCategory: injection:generic
  cweCategory: 117
  enabled: true
  comment: ""
  descriptionFile: Java/Logging/descriptions/Untrusted_input_in_logging.html
  tags: security;OWASP Top 10;framework specific;logging;Logger;injection
search:
  argument:
    in:
      methodcall:
        name: log
        type: java.util.logging.Logger
    type: java.lang.String
    value:
      containsUntrustedInput: true
availableFixes:
- name: Filter newline characters
  actions:
  - rewrite:
      to: ({{{ markedElement }}}).replaceAll("(\\r|\\n)","")