If an exception is thrown while logging is in progress, the important data will may not be logged unless special care is taken. This can lead to a multitude of vulnerabilities, either such as denial of service or ones vulnerabilities that allow the attacker to conceal critical security exceptions by preventing them from being logged.
...
This noncompliant code example errs by defining using statements that can throw exceptions when logging is in process. It aims attempts to log a security exception generated within main, however, ends it will end up logging the FileNotFoundException because no messages if a careless administrator renamed the log file or a crafty attacker caused the logging mechanism to fail through network tampering. While this code is slightly convoluted, it is easy to fall prey to similar mistakes that can result in an important security exception from not being logged properly.
| Code Block | ||
|---|---|---|
| ||
public class ExceptionLog {
private String logMessage;
private static Logger theLogger = Logger.getLogger("ExceptionLog.class.getName()");
public static void main(String[] args) {
ExceptionLog log = new ExceptionLog();
//some security exception occurs here
log.logMessage("Security Exception has occurred!");
log.writeLog();
}
public void logMessage(String message) {
logMessage = message;
}
public void writeLog() {
theLogger.info("Starting to log"); try {
try {
FileWriter fw = new FileWriter("log_file.txt", true); //this can throw an exception and prevent logging
BufferedWriter br = new BufferedWriter(fw);
br.write(logMessage + "\n");
br.close();
} catch (FileNotFoundException fnf){ logMessage("File Not Found Exception!"); }
catch(IOException ie) { logMessage("IO Exception!"); }
System.err.println(logMessage);
//misses writing the original security exception to log file, as logMessage has changed
}
}
|
Compliant Solution
This compliant solution declares all executes several statements that can possibly throw exceptions prior to performing any security critical operations and allows writeLog() to throw an exception back to the caller in the event of a problem writing to the log file. As a result, other exceptions do not interfere with the exceptions that need to be result in the silent failure to log a message or a different message than intended being logged. While this is a stringent requirement, it is necessary in cases where an exception can be deliberately thrown to conceal an attacker's tracks. The logging mechanism must be robust and should be able to detect and handle such phenomena.
| Code Block | ||
|---|---|---|
| ||
public class ExceptionLog {
private static String logMessage;
private static Logger theLogger =
Logger.getLogger("ExceptionLog.class.getName()");
public static void main(String[] args) {
ExceptionLog log = new ExceptionLog();
FileWriter fw=null;
BufferedWriter bw=null;
try {
fw = new FileWriter("log_file.txt", true); //this can throw an exception, but security exceptionthe logging of messages is stillnot loggedsilently prevented.
bw = new BufferedWriter(fw);
}
catch (FileNotFoundExceptionIOException fnee) { logMessage("File Not Found Exception!"); }
// The logging example cannot recover from failure to open
// the log file.
throw catchnew RuntimeException(IOException e) { logMessage("IO Exception!");;
}
//some security exception occurs here
try {
log.logMessage("Security Exception has occurred!");
log.writeLog(bw);
}
catch (IOException e) {
// Logging of the security exception does not silently fail.
System.err.println("Logging error failed.");
}
try {
bw.close();
}
catch (IOException e) {
System.err.println("Closing log file failed.");
}
}
public static void logMessage(String message) {
logMessage = message;
}
public void writeLog(BufferedWriter bw) throws IOException {
theLoggerbw.infowrite("StartinglogMessage to+ log"\n");
// log to file
System.err.println(logMessage);
}
}
|
A slightly more expensive alternative is to support recursive logging.
...