...
| Code Block |
|---|
May 15, 2011 2:19:10 PM java.util.logging.LogManager$RootLogger log SEVERE: User login failed for: guest May 15, 2011 2:25:52 PM java.util.logging.LogManager log SEVERE: User login succeeded for: administrator |
Compliant Solution (Sanitized User)
This compliant solution validates sanitizes the username input before before logging it, preventing injection attacks.
| Code Block | ||
|---|---|---|
| ||
if (loginSuccessful) { logger.severe("User login succeeded for: " + sanitizeUser(username)); } else { (!logger.severe("User login failed for: " + sanitizeUser(username)); } |
The sanitization is done by a dedicated method for sanitizing user names:
| Code Block | ||
|---|---|---|
| ||
public String sanitizeUser(String username) { return Pattern.matches("[A-Za-z0-9_]+", username)) { // Unsanitized username logger.severe("User login failed for ? username : "unauthorized user"); } |
Compliant Solution (Sanitized Logger)
This compliant solution uses a text logger that automatically sanitizes its input. A sanitized logger saves the developer from having to worry about unsanitized log messages.
| Code Block | ||
|---|---|---|
| ||
Logger sanLogger = new SanitizedTextLogger(logger); else if (loginSuccessful) { loggersanLogger.severe("User login succeeded for: " + username); } else { loggersanLogger.severe("User login failed for: " + username); } |
The sanitized text logger takes as delegate an actual logger. We assume the logger outputs text log messages to a file, network, or the console, and each log message has no indented lines. The sanitized text logger sanitizes all text to be logged by indenting every line except the first by two spaces. While a malicious user can indent text by more, a malicious user cannot create a fake log entry because all of her output will be indented, except for the real log output.
| Code Block | ||
|---|---|---|
| ||
class SanitizedTextLogger extends Logger { Logger delegate; public SanitizedTextLogger(Logger delegate) { super(delegate.getName(), delegate.getResourceBundleName()); this.delegate = delegate; } public String sanitize(String msg) { Pattern newline = Pattern.compile("\n"); Matcher matcher = newline.matcher(msg); return matcher.replaceAll("\n "); } public void severe(String msg) { delegate.severe(sanitize(msg)); } // .. Other Logger methods which must also sanitize their log messages } |
Risk Assessment
Allowing unvalidated user input to be logged can result in forging of log entries, leaking secure information, or storing sensitive data in a manner that violates a local law or regulation.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
IDS03-J | Medium | Probable | Medium | P8 | L2 |
Automated Detection
| Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| The Checker Framework |
| Tainting Checker | Trust and security errors (see Chapter 8) | ||||||
| CodeSonar |
| JAVA.IO.TAINT.LOG | Tainted Log (Java) | ||||||
| Fortify |
| Log_Forging | Implemented | |
| Klocwork |
| SVLOG_FORGING | Implemented | ||||||
| Parasoft Jtest |
| CERT.IDS03.TDLOG | Protect against log forging |
Related Guidelines
Injection [RST] | |
CWE-144, Improper neutralization of line delimiters | |
| MITRE CAPEC | CAPEC-93, Log Injection-Tampering-Forging |
Bibliography
...
...