Log Injection¶
ID: java/log-injectionKind: path-problemSecurity severity: 7.8Severity: errorPrecision: mediumTags: - security - external/cwe/cwe-117Query suites: - java-security-extended.qls - java-security-and-quality.qls
Click to see the query in the CodeQL repository
If unsanitized user input is written to a log entry, a malicious user may be able to forge new log entries.
Forgery can occur if a user provides some input creating the appearance of multiple log entries. This can include unescaped new-line characters, or HTML or other markup.
Recommendation¶
User input should be suitably sanitized before it is logged.
If the log entries are plain text then line breaks should be removed from user input, using for exampleStringreplace(charoldChar,charnewChar) or similar. Care should also be taken that user input is clearly marked in log entries, and that a malicious user cannot cause confusion in other ways.
For log entries that will be displayed in HTML, user input should be HTML encoded before being logged, to prevent forgery and other forms of HTML injection.
Example¶
In the first example, a username, provided by the user, is logged usinglogger.warn (fromorg.slf4j.Logger). In the first case (/bad endpoint), the username is logged without any sanitization. If a malicious user providesGuest'%0AUser:'Admin as a username parameter, the log entry will be split into two separate lines, where the first line will beUser:'Guest' and the second one will beUser:'Admin'.
packagecom.example.restservice;importorg.slf4j.Logger;importorg.slf4j.LoggerFactory;importorg.springframework.web.bind.annotation.GetMapping;importorg.springframework.web.bind.annotation.RequestParam;importorg.springframework.web.bind.annotation.RestController;@RestControllerpublicclassLogInjection{privatefinalLoggerlog=LoggerFactory.getLogger(LogInjection.class);// /bad?username=Guest'%0AUser:'Admin@GetMapping("/bad")publicStringbad(@RequestParam(value="username",defaultValue="name")Stringusername){log.warn("User:'{}'",username);// The logging call above would result in multiple log entries as shown below:// User:'Guest'// User:'Admin'returnusername;}}
In the second example (/good endpoint),matches() is used to ensure the user input only has alphanumeric characters. If a malicious user provides `Guest’%0AUser:’Admin` as a username parameter, the log entry will not be logged at all, preventing the injection.
packagecom.example.restservice;importorg.slf4j.Logger;importorg.slf4j.LoggerFactory;importorg.springframework.web.bind.annotation.GetMapping;importorg.springframework.web.bind.annotation.RequestParam;importorg.springframework.web.bind.annotation.RestController;@RestControllerpublicclassLogInjection{privatefinalLoggerlog=LoggerFactory.getLogger(LogInjection.class);// /good?username=Guest'%0AUser:'Admin@GetMapping("/good")publicStringgood(@RequestParam(value="username",defaultValue="name")Stringusername){// The regex check here, allows only alphanumeric characters to pass.// Hence, does not result in log injectionif(username.matches("\\w*")){log.warn("User:'{}'",username);returnusername;}}}
References¶
OWASP:Log Injection.
Common Weakness Enumeration:CWE-117.