SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 117

changes.mady.by.user David Svoboda

Saved on

compared with

New Version 118

changes.mady.by.user David Svoboda

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: sanitizeUser

...

Compliant Solution

This compliant solution validates sanitizes the username input before  before logging it, preventing injection attacks.

Code Block
bgColor#ccccff
if (!Pattern.matches("[A-Za-z0-9_]+", username)loginSuccessful) {
  // Unsanitized username
  logger.severe("User login failedsucceeded for: unauthorized user"" + sanitizeUser(username));
} else if (loginSuccessful) {
  logger.severe("User login succeededfailed for: " + sanitizeUser(username));
} else

 

The sanitization is done by a dedicated method for sanitizing user names:

 

Code Block
bgColor#ccccff
public String sanitizeUser(String username) {
  return loggerPattern.severe("User login failed formatches("[A-Za-z0-9_]+", username)) 
      ? username : " + username)unauthorized user";
}

 

Risk Assessment

Allowing unvalidated user input to be logged can result in forging of log entries, leaking secure information, or storing sensitive data in a manner that violates a local law or regulation.

...