java/lang/security/audit/crlf-injection-logs.yaml

rules:
- id: crlf-injection-logs
  message: >-
    When data from an untrusted source is put into a logger and not neutralized correctly,
    an attacker could forge log entries or include malicious content.
  metadata:
    cwe:
    - "CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')"
    owasp:
    - A03:2021 - Injection
    source-rule-url: https://find-sec-bugs.github.io/bugs.htm#CRLF_INJECTION_LOGS
    category: security
    technology:
    - java
    references:
    - https://owasp.org/Top10/A03_2021-Injection
    subcategory:
    - vuln
    likelihood: LOW
    impact: MEDIUM
    confidence: MEDIUM
  severity: WARNING
  languages: [java]
  patterns:
      # Enumerate possible enclosing scopes that define request and logger
  - pattern-either:
          # Logger is defined as a field on a class
    - patterns:
      - pattern-inside: |
          class $CLASS {
            ...
            Logger $LOG = ...;
            ...
          }
      - pattern-either:
        - pattern-inside: |
            $X $METHOD(...,HttpServletRequest $REQ,...) {
              ...
            }
        - pattern-inside: |
            $X $METHOD(...,ServletRequest $REQ,...) {
              ...
            }
        - pattern-inside: |
            $X $METHOD(...) {
              ...
              HttpServletRequest $REQ = ...;
              ...
            }
        - pattern-inside: |
            $X $METHOD(...) {
              ...
              ServletRequest $REQ = ...;
              ...
            }
    - pattern-inside: |
        $X $METHOD(...) {
          ...
          Logger $LOG = ...;
          ...
          HttpServletRequest $REQ = ...;
          ...
        }
    - pattern-inside: |
        $X $METHOD(...) {
          ...
          Logger $LOG = ...;
          ...
          ServletRequest $REQ = ...;
          ...
        }
  - pattern-either:
          # Enumerate possible injection sites
    - pattern: |
        String $VAL = $REQ.getParameter(...);
        ...
        $LOG.$LEVEL(<... $VAL ...>);
    - pattern: |
        String $VAL = $REQ.getParameter(...);
        ...
        $LOG.log($LEVEL,<... $VAL ...>);
    - pattern: |
        $LOG.$LEVEL(<... $REQ.getParameter(...) ...>);
    - pattern: |
        $LOG.log($LEVEL,<... $REQ.getParameter(...) ...>);