堆栈内存溢出
  简体   繁体   English

在 Veracode 中使用 slf4j LOGGER 时的 CRLF 注入漏洞(CWE 117)

[英]CRLF Injection vulnerability while using slf4j LOGGER in Veracode (CWE 117)

 原文  2020-12-01 08:17:33       java/ security/ veracode/ crlf-vulnerability

问题描述

It's a slf4j logger and i have been trying to log error with 2 messages parameters.这是一个 slf4j 记录器,我一直在尝试用 2 个消息参数记录错误。

catch(ExecutionException executionException) {

LOGGER.error("TimeoutException caught , Error: " + SSG_TIMEOUT.getErrorText() 
       + ". Message: " +executionException.getMessage());    
}

SSG_TIMEOUT.getErrorText() results to a String "TimeOut error encountered" SSG_TIMEOUT.getErrorText()结果为字符串"TimeOut error encountered" SSG_TIMEOUT.getErrorText() "TimeOut error encountered"

Things i used我用过的东西

  1. Manual sanitize code手动清理代码

    return entry.replace("\\t", "\\\\t").replace("\\b", "\\\\b").replace("\\n", "\\\\n").replace("\\r", "\\\\r").replace("\\f", "\\\\f").replace("\", "\\\\0").replace("\\\\a", "\\\\a").replace("\\\\v", "\\\\v").replace("\\\\e", "\\\\e").replaceAll("\\\\p{Cntrl}", "").replace("'", "\\\\'").replace("\\"", "\\\\\\"").replace("\\\\", "\\\\\\\\");

  2. StringEscapeUtils.escapeJson(String errorMessage)

  3. String builder to append string + escapeJson(StringBuilder.toString())字符串生成器追加字符串 + escapeJson(StringBuilder.toString())

Still i see the issue in my veracode report.我仍然在我的 veracode 报告中看到了这个问题。

Any Suggestions?有什么建议么?

1 个解决方案

解决方案1
 2  2020-12-08 06:11:36

First of all first 2 methods of sanitization are correct, its just that there are not supported by Veracode.首先,前两种清理方法是正确的,只是 Veracode 不支持。

Before using a method one should visit About Supported Cleansing Functions in https://help.veracode.com/r/review_cleansers在使用一种方法之前,应该访问https://help.veracode.com/r/review_cleansers 中的About Supported Cleansing Functions

So, for the above problem StringUtils.normalizeSpace() worked.因此,对于上述问题StringUtils.normalizeSpace()有效。 "StringUtils.escapeJava" could also be used but it seems deprecated也可以使用“StringUtils.escapeJava”,但它似乎已被弃用

Soln:索恩:

    catch(ExecutionException executionException) {

    LOGGER.error("TimeoutException caught , Error: " + 
    StringUtils.normalizeSpace(SSG_TIMEOUT.getErrorText() 
    }

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Slf4j LOGGER 用法 - Slf4j LOGGER usage Slf4j记录器的模式 - Pattern for Slf4j logger 使用简单的slf4j而不是logger4j的slf4j - Slf4j using simple slf4j instead of logger4j 使用 log4j 实例创建 slf4j Logger - Using an instance of log4j to create slf4j Logger Logger slf4j未使用Logback配置级别 - Logger slf4j is not using the logback configured level Intellij无法使用Lombok检测到@ Slf4j添加的记录器 - Intellij fails to detect the logger added by @Slf4j using Lombok Veracode 缺陷 CWE-93:CRLF 序列的不正确中和(“CRLF 注入”) - Veracode flaw CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection') 使用slf4j Logger记录所有HashMap键和值 - Log all HashMap keys and values using slf4j Logger Spring构造函数注入SLF4J logger - 如何获取注入目标类? - Spring constructor injection of SLF4J logger - how to get injection target class? SLF4J自己的记录器仅用一种方法 - SLF4J own logger for a single method
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM