Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

False positive - Log entries created from user input (cs/log-forging) #15824

Open
serhatataman opened this issue Mar 6, 2024 · 2 comments
Open

False positive - Log entries created from user input (cs/log-forging) #15824

serhatataman opened this issue Mar 6, 2024 · 2 comments
Labels
C# false-positive

Comments

@serhatataman
Copy link

serhatataman commented Mar 6, 2024
edited
Loading

Description of the false positive

The user input/log string is handled inside an extension log method and sanitized. We are getting a false positive warning from our Logging extension method. The warning message is: Log entries created from user input (cs/log-forging)

Code samples or links to source code

This is how the logger is called and the place where it throws this log warning message. (However, note that we do our message sanitization inside our extension method)

_logger.Feil($"Fant ingen for oppgitt år {aarstallStreng}", nameof(MetodeArrsbonus), correlationId); . Note that Feil is our extension method and it looks like this:

public static void Feil(this ILogger logger, string message, string metodeNavn, string correlationId)
    {
        logger.LogError("CorrelationId: {CorrelationId}, MetodeNavn: {MetodeNavn}, Melding: {Melding}, Tidspunkt: {Tidspunkt}", correlationId, metodeNavn, RemoveInvalidCharacters(message), DateTimeOffset.Now);
    }

And this is our sanitization method:

private static string RemoveInvalidCharacters(this string message)
    {
        message = message.Replace(Environment.NewLine, "");

        var invalidChars = new HashSet<char>("&^$#@+;<>*");
        StringBuilder washedMessage = new StringBuilder(message.Length);
        foreach (char x in message.Where(c => !invalidChars.Contains(c)))
        {
            washedMessage.Append(x);
        }
        return washedMessage.ToString();
    }

This is the error that occurs:
image

What did I expect to happen?
Since we sanitize the input in our extension method, the error should not appear.

How can you reproduce it?
override logging method, pass inn variables to that override method as string and do string sanitization inside that override method.
@serhatataman serhatataman changed the title False positive False positive - Log entries created from user input (cs/log-forging) Mar 6, 2024
@mbg
Copy link
Member

mbg commented Mar 6, 2024

Hi @serhatataman 👋

Thank you for reporting this to us. That does indeed look like a false positive and we will track this issue internally. However, I cannot give you any estimate for when a fix will be available.

@sidshank sidshank added the C# label Mar 7, 2024
@Jeff-Buda-at-Relias
Copy link

Jeff-Buda-at-Relias commented Dec 31, 2024
edited
Loading

@mbg Can you provide a sanitization function or technique that would not result in a false positive?

@bhazen bhazen mentioned this issue Mar 5, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
C# false-positive
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@mbg @sidshank @serhatataman @Jeff-Buda-at-Relias