SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 53

changes.mady.by.user Robert Seacord (Manager)

Saved on

compared with

New Version 54

changes.mady.by.user David Svoboda

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Logging unsanitized user input can also result in leaking sensitive data across a trust boundary, or storing sensitive data in a manner that is contrary to local law or regulation. See rule IDS00-J. Sanitize untrusted data passed across a trust boundary for more details on input sanitization.

Log Injection

A log injection vulnerability arises when the original log entry can be altered to form one or more altogether different entries. Execution of this altered entry may result in log data that is deceptive and fraudulent. The primary means of preventing log injection are sanitizing and validating any untrusted input sent to a log.

Consider a system log that records login attempts. A standard log message might look like this:

Code Block

May 15, 2011 2:19:10 PM java.util.logging.LogManager$RootLogger log
SEVERE: User login failed for: david

If the username that is used in a log message was not david, but rather something like:

Code Block

david
May 15, 2011 2:25:52 PM java.util.logging.LogManager$RootLogger log
SEVERE: User login succeeded for: administrator

the log would contain the following misleading data:

Code Block

May 15, 2011 2:19:10 PM java.util.logging.LogManager$RootLogger log
SEVERE: User login failed for: david
May 15, 2011 2:25:52 PM java.util.logging.LogManager log
SEVERE: User login succeeded for: administrator

Noncompliant Code Example

This noncompliant code example logs the user's login user name when an invalid request is received. No input sanitization is performed.

Code Block
bgColor#FFCCCC

if (loginSuccessful) {
  logger.severe("Invalid usernameUser login succeeded for:" + username);
} else {
  logger.severe("User login failed for:" + getUserName(username));
}

This is noncompliant because ????With no sanitization, the log injection described above is possible.

Compliant Solution

This compliant solution sanitizes the user name input before logging it, preventing injection. Refer to rule IDS00-J. Sanitize untrusted data passed across a trust boundary for more details on input sanitization.

Code Block
bgColor#ccccff
String username = getUserName();
sanitize(username);
if (!Pattern.matches("[A-Za-z_]+", username)) {
  // Unsanitized user name
  logger.severe("User login failed for unauthorized user");
} else if (loginSuccessful) {
  logger.severe("User login succeeded for:" + username);
} else {
  logger.severe("Invalid usernameUser login failed for:" + username);
}

Risk Assessment

Allowing unvalidated user input to be logged can result in forging of log entries, leaking secure information, or storing sensitive data in a manner that is contrary to local law.

...

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="ca15ed210a984426-27214248-495d4548-a6c389ce-f80435ab4ff2aff4975c1757"><ac:plain-text-body><![CDATA[

[[MITRE 2009

AA. Bibliography#MITRE 09]]

[CWE ID 144

http://cwe.mitre.org/data/definitions/144.html] "Improper Neutralization of Line Delimiters"

]]></ac:plain-text-body></ac:structured-macro>

 

CWE ID 150 "Improper Neutralization of Escape, Meta, or Control Sequences"

...

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="15d97547e7c7aa95-1c953acb-4c204535-bd7aa9aa-a735f09a92abcca537d79931"><ac:plain-text-body><![CDATA[

[[API 2006

AA. Bibliography#API 06]]

]]></ac:plain-text-body></ac:structured-macro>

...