[英]Checkmarx Java fix for Log Forging -sanitizing user input
Can anyone suggest the proper sanitization/validation process required for the courseType variable in the following getCourses method.任何人都可以建议以下 getCourses 方法中 courseType 变量所需的正确清理/验证过程。 I am using that variable to write in a log file.
我正在使用该变量写入日志文件。
I've tried HtmlUtils.HtmlEscape() but didn't get expected results.我试过 HtmlUtils.HtmlEscape() 但没有得到预期的结果。
Thanks!谢谢!
@RequestMapping(value = "/retriveCourses", method = RequestMethod.GET)
@ResponseBody
public List<Course> getCourses(@RequestParam(value = "courseType", required = false) String courseType) {
}
it seems like the Checkmarx tool is correct in this case.在这种情况下,Checkmarx 工具似乎是正确的。
A "Log Forging" vulnerability means that an attacker could engineer logs of security-sensitive actions and lay a false audit trail, potentially implicating an innocent user or hiding an incident. “日志伪造”漏洞意味着攻击者可以设计安全敏感操作的日志并设置虚假审计跟踪,从而可能牵连无辜用户或隐藏事件。
While using htmlEscape
will escape some special characters:使用
htmlEscape
会转义一些特殊字符:
&lt;
represents the <
sign.<
符号。&gt;
represents the >
sign.>
符号。&amp;
represents the &
sign.&
符号。&quot;
represents the "
mark."
标志。 It will not escape or remove new-line/EOL/tab characters that must be avoided in order to keep logs integrity.它不会转义或删除为了保持日志完整性而必须避免的换行符/EOL/制表符。
The best practice recommendations to avoid log forging are:避免日志伪造的最佳实践建议是:
Make sure to replace all relevant dangerous characters.确保替换所有相关的危险字符。 example:
例子:
cleanInput = input.replace('\\t', '-').replace('\\n', '-').replace('\\r', '-');
Validate all input, regardless of source.验证所有输入,无论来源如何。 Validation should be based on a whitelist.
验证应基于白名单。 Accept only data fitting a specified structure, rather than reject bad patterns.
只接受符合指定结构的数据,而不是拒绝不良模式。 Check for: Data type, Size, Range, Format, Expected values.
检查:数据类型、大小、范围、格式、预期值。
Hopefully, that solves your problem.希望这能解决您的问题。
Have a look at the Logging - OWASP Cheat Sheet Series in the section 'Event Collection'查看“事件收集”部分中的日志记录 - OWASP 备忘单系列
The best encoder still OWASP Java Encoder => Solve the 2. of @yaloner最好的编码器还是OWASP Java Encoder => 解决@yaloner的2.
There is also a project at OWASP To help you to deal withs log injectionsOWASP Security Logging => Solve the 1. of @yaloner OWASP 也有一个项目帮助你处理日志注入OWASP Security Logging => 解决@yaloner 的 1.
Have a look at them will solve the issue看看他们会解决问题
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.