IDS04-J. Do not log unsanitized user input

Including user input in log files can result in log forging. For example, a user might split a legitimate log entry into two log entries by entering a carriage return and line feed (CRLF) sequence, either of which might be misleading. To prevent such attacks, user input must be sanitized before being used or logged.

Logging unsanitized user input can also result in leaking sensitive data across a trust boundary, or storing sensitive data in a manner that is contrary to local law or regulation. See rule IDS00-J. Sanitize untrusted data passed across a trust boundary for more details on input sanitization.

Noncompliant Code Example

This noncompliant code example logs the user's login user name when an invalid request is received. No input sanitization is performed.

logger.severe("Invalid username:" + getUserName());

This is noncompliant because ????

Compliant Solution

This compliant solution sanitizes the user name input before logging it. Refer to rule IDS00-J. Sanitize untrusted data passed across a trust boundary for more details on input sanitization.

String username = getUserName();
sanitize(username);
logger.severe("Invalid username:" + username);

Risk Assessment

Allowing unvalidated user input to be logged can result in forging of log entries, leaking secure information, or storing sensitive data in a manner that is contrary to local law.

Related Guidelines

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Bibliography

IDS03-J. Validate all data passed in through environment variables and non-default properties            IDS05-J. Limit the size of files passed to ZipInputStream