[英]CRLF Injection vulnerability while using slf4j LOGGER in Veracode (CWE 117)
It's a slf4j logger and i have been trying to log error with 2 messages parameters.这是一个 slf4j 记录器,我一直在尝试用 2 个消息参数记录错误。
catch(ExecutionException executionException) {
LOGGER.error("TimeoutException caught , Error: " + SSG_TIMEOUT.getErrorText()
+ ". Message: " +executionException.getMessage());
}
SSG_TIMEOUT.getErrorText()
results to a String "TimeOut error encountered"
SSG_TIMEOUT.getErrorText()
结果为字符串"TimeOut error encountered"
SSG_TIMEOUT.getErrorText()
"TimeOut error encountered"
Things i used我用过的东西
Manual sanitize code手动清理代码
return entry.replace("\\t", "\\\\t").replace("\\b", "\\\\b").replace("\\n", "\\\\n").replace("\\r", "\\\\r").replace("\\f", "\\\\f").replace("\ ", "\\\\0").replace("\\\\a", "\\\\a").replace("\\\\v", "\\\\v").replace("\\\\e", "\\\\e").replaceAll("\\\\p{Cntrl}", "").replace("'", "\\\\'").replace("\\"", "\\\\\\"").replace("\\\\", "\\\\\\\\");
StringEscapeUtils.escapeJson(String errorMessage)
String builder to append string + escapeJson(StringBuilder.toString())
字符串生成器追加字符串 + escapeJson(StringBuilder.toString())
Still i see the issue in my veracode report.我仍然在我的 veracode 报告中看到了这个问题。
Any Suggestions?有什么建议么?
First of all first 2 methods of sanitization are correct, its just that there are not supported by Veracode.首先,前两种清理方法是正确的,只是 Veracode 不支持。
Before using a method one should visit About Supported Cleansing Functions in https://help.veracode.com/r/review_cleansers在使用一种方法之前,应该访问https://help.veracode.com/r/review_cleansers 中的About Supported Cleansing Functions
So, for the above problem StringUtils.normalizeSpace() worked.因此,对于上述问题StringUtils.normalizeSpace()有效。 "StringUtils.escapeJava" could also be used but it seems deprecated也可以使用“StringUtils.escapeJava”,但它似乎已被弃用
Soln:索恩:
catch(ExecutionException executionException) {
LOGGER.error("TimeoutException caught , Error: " +
StringUtils.normalizeSpace(SSG_TIMEOUT.getErrorText()
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.