From 8ccacf0900cf6c7ea255da2968bc83fa407197a1 Mon Sep 17 00:00:00 2001
From: Matheus Cortes <matheus.cortes@grupointegrado.br>
Date: Thu, 23 Nov 2023 00:17:46 -0300
Subject: [PATCH] fix log injection vulnerability

---
 app/routes/session.js | 15 +++++----------
 1 file changed, 5 insertions(+), 10 deletions(-)

diff --git a/app/routes/session.js b/app/routes/session.js
index 3810fb9..ffbbdf3 100644
--- a/app/routes/session.js
+++ b/app/routes/session.js
@@ -56,7 +56,6 @@ function SessionHandler(db) {
             password
         } = req.body;
         userDAO.validateLogin(userName, password, (err, user) => {
-            const errorMessage = "Invalid username and/or password";
             const invalidUserNameErrorMessage = "Invalid username";
             const invalidPasswordErrorMessage = "Invalid password";
             if (err) {
@@ -66,18 +65,14 @@ function SessionHandler(db) {
                     // Fix for A1 - 3 Log Injection - encode/sanitize input for CRLF Injection
                     // that could result in log forging:
                     // - Step 1: Require a module that supports encoding
-                    // const ESAPI = require('node-esapi');
+                    const ESAPI = require('node-esapi');
                     // - Step 2: Encode the user input that will be logged in the correct context
                     // following are a few examples:
-                    // console.log('Error: attempt to login with invalid user: %s',
-                    //     ESAPI.encoder().encodeForHTML(userName));
-                    // console.log('Error: attempt to login with invalid user: %s',
-                    //     ESAPI.encoder().encodeForJavaScript(userName));
-                    // console.log('Error: attempt to login with invalid user: %s',
-                    //     ESAPI.encoder().encodeForURL(userName));
+                    console.log('Error: attempt to login with invalid user: %s', ESAPI.encoder().encodeForHTML(userName));
+                    console.log('Error: attempt to login with invalid user: %s', ESAPI.encoder().encodeForJavaScript(userName));
+                    console.log('Error: attempt to login with invalid user: %s', ESAPI.encoder().encodeForURL(userName));
                     // or if you know that this is a CRLF vulnerability you can target this specifically as follows:
-                    // console.log('Error: attempt to login with invalid user: %s',
-                    //     userName.replace(/(\r\n|\r|\n)/g, '_'));
+                    console.log('Error: attempt to login with invalid user: %s', userName.replace(/(\r\n|\r|\n)/g, '_'));
 
                     return res.render("login", {
                         userName: userName,