Skip to content

Java: Promote Log Injection from experimental #7054

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
atorralba merged 12 commits into from
Jan 11, 2022
Merged

Java: Promote Log Injection from experimental #7054

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
7f15177
Move from experimental
atorralba Oct 29, 2021
3ea1af3
Refactor into separate libraries
atorralba Oct 29, 2021
ebd6529
WIP: add tests
atorralba Nov 2, 2021
7d88f80
Add tests for summaries
atorralba Nov 3, 2021
f1df542
Add stubs & tests
atorralba Nov 3, 2021
474bf57
Minor corrections in QLDoc, qhelp and example code
atorralba Nov 4, 2021
ea7e259
Add change note
atorralba Nov 4, 2021
6613a98
Fix references to logging library
atorralba Nov 4, 2021
0e73862
Merge branch 'main' into atorralba/promote-log-injection
atorralba Jan 10, 2022
fbebf5e
Move change note to new location
atorralba Jan 10, 2022
b9e3220
Move change note to new location
atorralba Jan 11, 2022
1030ff7
Update java/ql/src/Security/CWE/CWE-117/LogInjection.ql
atorralba Jan 11, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Minor corrections in QLDoc, qhelp and example code
  • Loading branch information
@atorralba
atorralba committed Nov 4, 2021
commit 474bf576a7c73ddd2a976e3d54049aa423f15f5c
2 changes: 1 addition & 1 deletion java/ql/lib/semmle/code/java/security/LogInjectionQuery.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ import semmle.code.java.security.LogInjection
* A taint-tracking configuration for tracking untrusted user input used in log entries.
*/
class LogInjectionConfiguration extends TaintTracking::Configuration {
LogInjectionConfiguration() { this = "Log Injection" }
LogInjectionConfiguration() { this = "LogInjectionConfiguration" }

override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }

Expand Down
7 changes: 3 additions & 4 deletions java/ql/src/Security/CWE/CWE-117/LogInjection.qhelp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,16 +29,15 @@ other forms of HTML injection.
</recommendation>

<example>
<p>In the example, a username, provided by the user, is logged using <code>logger.warn</code> (from <code>org.slf4j.Logger</code>).
<p>In the first example, a username, provided by the user, is logged using <code>logger.warn</code> (from <code>org.slf4j.Logger</code>).
In the first case (<code>/bad</code> endpoint), the username is logged without any sanitization.
If a malicious user provides <code>Guest'%0AUser:'Admin</code> as a username parameter,
the log entry will be split into two separate lines, where the first line will be <code>User:'Guest'</code> and the second one will be <code>User:'Admin'</code>.
</p>
<sample src="LogInjectionBad.java" />

<p> In the second case (<code>/good</code> endpoint), <code>matches()</code> is used to ensure the user input only has alphanumeric characters.
If a malicious user provides `Guest'%0AUser:'Admin` as a username parameter,
the log entry will not be split into two separate lines, resulting in a single line <code>User:'Guest'User:'Admin'</code>.</p>
<p> In the second example (<code>/good</code> endpoint), <code>matches()</code> is used to ensure the user input only has alphanumeric characters.
If a malicious user provides `Guest'%0AUser:'Admin` as a username parameter, the log entry will not be logged at all, preventing the injection.</p>

<sample src="LogInjectionGood.java" />
</example>
Expand Down
5 changes: 3 additions & 2 deletions java/ql/src/Security/CWE/CWE-117/LogInjection.ql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,9 +1,10 @@
/**
* @name Log Injection
* @description Building log entries from user-controlled data is vulnerable to
* insertion of forged log entries by a malicious user.
* @description Building log entries from user-controlled data may allow
* insertion of forged log entries by malicious users.
* @kind path-problem
* @problem.severity error
* @security-severity 7.8
* @precision high
* @id java/log-injection
* @tags security
Expand Down
4 changes: 2 additions & 2 deletions java/ql/src/Security/CWE/CWE-117/LogInjectionGood.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,9 +16,9 @@ public class LogInjection {
public String good(@RequestParam(value = "username", defaultValue = "name") String username) {
// The regex check here, allows only alphanumeric characters to pass.
// Hence, does not result in log injection
if (username.matches("\w*")) {
if (username.matches("\\w*")) {
log.warn("User:'{}'", username);

return username;
}
}
Expand Down