Accepting user input in log files can result in log forging. For example, if a user enters carriage return and line feed (CRLF) sequences, it may be possible to break apart a legitimate log entry into two log entries. The second entry can be intentionally misleading, for instance, it may warn the administrator that a reboot is required to install critical security updates.
Noncompliant Code Example
This noncompliant code example logs the user's login user name when an invalid request is received. No input sanitization is being performed.
logger.severe("Invalid username:" + getUserName());
Compliant Solution
This compliant solution sanitizes the user name input before logging it. Refer to guideline IDS01-J. Sanitize untrusted input before processing or storing it for more details on input sanitization.
String username = getUserName(); sanitize(username); logger.severe("Invalid username:" + username);
Risk Assessment
Allowing unvalidated user input to be logged can result in forging of log entries.
Guideline |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
---|---|---|---|---|---|
EXC12-J |
medium |
probable |
medium |
P8 |
L2 |
Automated Detection
TODO
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this guideline on the CERT website.
Bibliography
[[API 2006]]
[[MITRE 2009]] CWE ID 144 and CWE ID 150
EXC11-J. Restore prior object state on method failure 06. Exceptional Behavior (EXC) EXC13-J. Throw specific exceptions as opposed to the more general RuntimeException or Exception