Accepting user input in log files can result in log forging. For example, a user could be able to break a legitimate log entry into two log entries by entering carriage return and line feed (CRLF) sequence. The second entry could be intentionally misleading; for example, it may warn the administrator that a reboot is required to install critical security updates. Consequently, user input must be sanitized before being used or logged.
Logging unsanitized user input can also result in leaking sensitive data across a trust boundary, or storing sensitive data in a manner that is contrary to local law or regulation. See rule IDS01-J. Sanitize untrusted data passed across a trust boundary for more details on input sanitization.
Noncompliant Code Example
This noncompliant code example logs the user's login user name when an invalid request is received. No input sanitization is performed.
logger.severe("Invalid username:" + getUserName());
Compliant Solution
This compliant solution sanitizes the user name input before logging it. Refer to rule IDS01-J. Sanitize untrusted data passed across a trust boundary for more details on input sanitization.
String username = getUserName(); sanitize(username); logger.severe("Invalid username:" + username);
Risk Assessment
Allowing unvalidated user input to be logged can result in forging of log entries, leaking secure information, or storing sensitive data in a manner that is contrary to local law.
Rule |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
---|---|---|---|---|---|
IDS05-J |
medium |
probable |
medium |
P8 |
L2 |
Related Guidelines
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="56612afb-7cbc-4d67-9e63-2cbd4d3d17d3"><ac:plain-text-body><![CDATA[ |
[[MITRE 2009 |
AA. Bibliography#MITRE 09]] |
[CWE ID 144 |
http://cwe.mitre.org/data/definitions/144.html] "Improper Neutralization of Line Delimiters" |
]]></ac:plain-text-body></ac:structured-macro> |
|
CWE ID 150 "Improper Neutralization of Escape, Meta, or Control Sequences" |
Bibliography
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="f694c82e-e944-4b37-8a1e-30856029fcff"><ac:plain-text-body><![CDATA[ |
[[API 2006 |
AA. Bibliography#API 06]] |
]]></ac:plain-text-body></ac:structured-macro> |
IDS03-J. Sanitize non-character code points before performing other sanitization IDS08-J. Do not pass untrusted, unsanitized data to the Runtime.exec() method