Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improper Output Neutralization for Logs ('CRLF Injection') [VID:193] #244

Open
github-actions bot opened this issue Sep 18, 2023 · 0 comments
Open
Labels
Veracode Policy Scan A Veracode Flaw found during a Policy or Sandbox Scan VeracodeFlaw: Medium A Veracode Flaw, Medium severity

Comments

@github-actions
Copy link

Filename: UserController.java

Line: 814

CWE: 117 (Improper Output Neutralization for Logs ('CRLF Injection'))

This call to org.apache.log4j.Category.info() could result in a log forging attack. Writing untrusted data into a log file allows an attacker to forge log entries or inject malicious content into log files. Corrupted log files can be used to cover an attacker's tracks or as a delivery mechanism for an attack on a log viewing or processing utility. For example, if a web administrator uses a browser-based utility to review logs, a cross-site scripting attack might be possible. The first argument to info() contains tainted data. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry. Avoid directly embedding user input in log files when possible. Sanitize untrusted data used to construct log entries by using a safe logging mechanism such as the OWASP ESAPI Logger, which will automatically remove unexpected carriage returns and line feeds and can be configured to use HTML entity encoding for non-alphanumeric data. Alternatively, some of the XSS escaping functions from the OWASP Java Encoder project will also sanitize CRLF sequences. Only create a custom blocklist when absolutely necessary. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP Supported Cleansers

@github-actions github-actions bot added Veracode Policy Scan A Veracode Flaw found during a Policy or Sandbox Scan VeracodeFlaw: Medium A Veracode Flaw, Medium severity labels Sep 18, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Veracode Policy Scan A Veracode Flaw found during a Policy or Sandbox Scan VeracodeFlaw: Medium A Veracode Flaw, Medium severity
Projects
None yet
Development

No branches or pull requests

0 participants