SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 78

changes.mady.by.user David Svoboda

Saved on

compared with

New Version 79

changes.mady.by.user Carol J. Lallier

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

This noncompliant code example logs the user's login name when an invalid request is received. No input sanitization is performed.

Code Block
bgColor#FFCCCC

if (loginSuccessful) {
  logger.severe("User login succeeded for: " + username);
} else {
  logger.severe("User login failed for: " + username);
}

Without sanitization, a log injection attack is possible. A standard log message when username is david might look like this:

Code Block

May 15, 2011 2:19:10 PM java.util.logging.LogManager$RootLogger log
SEVERE: User login failed for: david

If the username that is used in a log message was not david, but rather a multiline string like this:

Code Block

david
May 15, 2011 2:25:52 PM java.util.logging.LogManager$RootLogger log
SEVERE: User login succeeded for: administrator

the log would contain the following misleading data:

Code Block

May 15, 2011 2:19:10 PM java.util.logging.LogManager$RootLogger log
SEVERE: User login failed for: david
May 15, 2011 2:25:52 PM java.util.logging.LogManager log
SEVERE: User login succeeded for: administrator

...

This compliant solution just validates the username input before logging it, preventing injection attacks. Refer to rule IDS00-J. Sanitize untrusted data passed across a trust boundary for more details on input sanitization.

Code Block
bgColor#ccccff

if (!Pattern.matches("[A-Za-z0-9_]+", username)) {
  // Unsanitized username
  logger.severe("User login failed for unauthorized user");
} else if (loginSuccessful) {
  logger.severe("User login succeeded for: " + username);
} else {
  logger.severe("User login failed for: " + username);
}

...

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

IDS03-J

medium

probable

medium

P8

L2

Automated Detection

ToolVersionCheckerDescription
Klocwork SVLOG_FORGINGImplemented
Fortify Log_ForgingImplemented

Related Guidelines

ISO/IEC TR 24772:2010

Injection [RST]

MITRE CWE

CWE-144. Improper neutralization of line delimiters

 

CWE-150. Improper neutralization of escape, meta, or control sequences

...

[API 2006]

[OWASP 2008]

[PCI DSS Standard]