Fortify 日志伪造问题
[英]Fortify Log Forging Issue
问题描述
We are scanning our .NET application with Fortify and need to provide some information on why Log Forging issue does not apply to us.
我们正在使用 Fortify 扫描我们的 .NET 应用程序,需要提供一些关于为什么日志伪造问题不适用于我们的信息。 In our code we have the following pattern, of course it is not exactly as is, I've captured the essence of what we're doing:在我们的代码中,我们有以下模式,当然它并不完全是这样,我已经抓住了我们正在做的事情的本质:
public static void Write(object message,
ICollection<string> categories, int priority,
int eventId, TraceEventType severity, string title,
IDictionary<string, object> properties)
{
LogEntry log = new LogEntry();
string MessageToAdd = message.ToString();
if (message.ToString().Length > MaxLength)
log.Message = message.ToString().Substring(0, MaxLength);
else
log.Message = message.ToString();
log.Categories = categories;
log.Priority = priority;
log.EventId = eventId;
log.Severity = severity;
log.Title = title;
log.ExtendedProperties = properties;
Logwriter Logger;
Logger.Write(log);
}
So basically, we control how log entry objects are created.所以基本上,我们控制如何创建日志条目对象。 We restrict the message or user input to 100 characters.我们将消息或用户输入限制为 100 个字符。 Hence we think that Log Forging raised by Fortify is a False Positive.因此我们认为 Fortify 提出的 Log Forging 是 False Positive。
What do you all think?大家怎么看?
2 个解决方案
解决方案1
1 2015-03-18 15:55:03
Any message that is created by your code will be safe, but Fortify is flagging this because user input is being logged there.由您的代码创建的任何消息都是安全的,但 Fortify 正在标记这一点,因为用户输入已被记录在那里。 You will want to do more than limit the size of the input if you're allowing user data into the log.如果您允许用户数据进入日志,您将需要做的不仅仅是限制输入的大小。 At least make sure there are no carriage returns or line feeds in the data so they can't spoof log messages.至少确保数据中没有回车或换行符,这样他们就不能欺骗日志消息。 If the log can be viewed in a browser, you will also want to HTML encode the message.如果可以在浏览器中查看日志,您还需要对消息进行 HTML 编码。 Check this file out:检查这个文件:
https://owasp-esapi-dotnet.googlecode.com/svn/trunk/Esapi/Logger.cs https://owasp-esapi-dotnet.googlecode.com/svn/trunk/Esapi/Logger.cs
The OWASP ESAPI for .NET is pretty outdated, but this logger can show you a good way to look for the above use cases before putting the data in the log.用于 .NET 的 OWASP ESAPI 已经过时了,但是这个记录器可以向您展示一种在将数据放入日志之前查找上述用例的好方法。
解决方案2
1 2017-01-13 19:48:27
It's best to filter any user input that is logged to a file.最好过滤任何记录到文件中的用户输入。 Provide a while-list of acceptable characters or black-list of unacceptable characters.提供可接受字符的while 列表或不可接受字符的黑名单。
Example:例子:
string safeUserInput = System.Text.RegularExpressions.Regex.Replace(txtUserInput.Text, “[^A-Za-z0-9 $]”, “”);
If nothing else restrict any user input that allows "/n" , so your log files don't ege space and cause the server to crash.如果没有其他限制允许"/n"任何用户输入,那么您的日志文件不会占用空间并导致服务器崩溃。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.