问题
Can anyone suggest the proper sanitization/validation process required for the courseType variable in the following getCourses method. I am using that variable to write in a log file.
I've tried HtmlUtils.HtmlEscape() but didn't get expected results.
Thanks!
@RequestMapping(value = "/retriveCourses", method = RequestMethod.GET)
@ResponseBody
public List<Course> getCourses(@RequestParam(value = "courseType", required = false) String courseType) {
}
回答1:
it seems like the Checkmarx tool is correct in this case.
A "Log Forging" vulnerability means that an attacker could engineer logs of security-sensitive actions and lay a false audit trail, potentially implicating an innocent user or hiding an incident.
While using htmlEscape will escape some special characters:
&lt;represents the<sign.&gt;represents the>sign.&amp;represents the&sign.&quot;represents the"mark.
It will not escape or remove new-line/EOL/tab characters that must be avoided in order to keep logs integrity.
The best practice recommendations to avoid log forging are:
Make sure to replace all relevant dangerous characters. example:
cleanInput = input.replace('\t', '-').replace('\n', '-').replace('\r', '-');Validate all input, regardless of source. Validation should be based on a whitelist. Accept only data fitting a specified structure, rather than reject bad patterns. Check for: Data type, Size, Range, Format, Expected values.
Hopefully, that solves your problem.
回答2:
Have a look at the OWASP Injection Prevention Cheat Sheet on the section 'Log Injection'
The best encoder still OWASP Java Encoder => Solve the 2. of @yaloner
There is also a project at OWASP To help you to deal withs log injections OWASP Security Logging => Solve the 1. of @yaloner
Have a look at them will solve the issue
来源:https://stackoverflow.com/questions/55364577/checkmarx-java-fix-for-log-forging-sanitizing-user-input