Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-2773

Untrusted data should be escaped before being logged

    XMLWordPrintable

    Details

    • Type: Vulnerability Detection
    • Status: Active
    • Resolution: Unresolved
    • Labels:
    • Message:
      Make sure "xxx" does not contain unescaped malicious values.
    • Default Severity:
      Minor
    • Impact:
      Low
    • Likelihood:
      Low
    • Targeted languages:
      ABAP, C#, C++, Cobol, Java, PHP, Python, Swift, VB.Net
    • Remediation Function:
      Constant/Issue
    • Constant Cost:
      15min
    • Analysis Scope:
      Main Sources
    • Implementation details:
    • Common Rule:
      Yes
    • CWE:
      CWE-117
    • OWASP:
      A1

      Description

      In the event of a system failure, application logs may be your only method of untangling what happened. However, if you log user input verbatim, your logs may not be entirely reliable: a malicious user could use specially crafted inputs to insert false log entries or otherwise corrupt the logs' accurate use by log processing applications or manual audit.

      Noncompliant Code Example

      public void doGet(HttpServletRequest request, HttpServletResponse response) {
        LOGGER.log(Level.INFO, request.getParameter("user"));  // Noncompliant
        // ...
      
      }
      

      See

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              ann.campbell.2 Ann Campbell
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated: