问题
I read on some forums the myth that it is enough to pass the Veracode CWE 117 (Improper Output Neutralization for Logs) issue by doing something like this. Can somebody confirm if this is the case or not ?
message.replaceAll("\r", "_").replaceAll("\n", "_");
From this topic How to fix Veracode CWE 117 (Improper Output Neutralization for Logs) , I understand that I need to do something like this
ESAPI.encoder().encodeForHTML(message);
回答1:
The message needs to be escaped for the context which it is in. The ESAPI logger does replace the \r and \n characters as well as encode for html if configured to do so.
Currently this code gives me a CWE 117 from Veracode:
log.log(Level.WARNING, System.getenv("unsafe"));
This code does not:
log.log(Level.WARNING, ESAPI.encoder().encodeForHTML(System.getenv("unsafe")));
encodeForHTML encodes \r and \n to 
 and 
 respectively, but an underscore is imho cleaner and if you decoded the html you may get unexpected new lines.
回答2:
we can either way.
message.replaceAll("\r", "_").replaceAll("\n", "_");
or
ESAPI.encoder().encodeForHTML(message);
or
HtmlUtils.htmlEscape(input)
回答3:
If you don't want to directly use ESAPI, you can write your own function which does similar things:
- escapes new lines and
- encodes html.
I have given an example of such function (based on ESAPI) as an answer here: security flaw - veracode report - crlf injection
回答4:
You can use the escapeJava method of StringEscapeUtils to pass the CWE-117 in Veracode. I was able to pass CWE-177 with 2.6 of commons-lang https://mvnrepository.com/artifact/commons-lang/commons-lang/2.6
StringEscapeUtils.escapeJava(message)
来源:https://stackoverflow.com/questions/46564555/pass-veracode-cwe-117-improper-output-neutralization-for-logs-only-with-replac