Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-5145

Logging should not be vulnerable to injection attacks

    Details

    • Message:
      Refactor this code to not log tainted, user-controlled data.
    • Highlighting:
      Hide

      "[varname]" is tainted (assignments and parameters)
      this argument is tainted (method invocations)
      the returned value is tainted (returns & method invocations results)

      Show
      " [varname] " is tainted (assignments and parameters) this argument is tainted (method invocations) the returned value is tainted (returns & method invocations results)
    • Default Severity:
      Minor
    • Impact:
      Low
    • Likelihood:
      Low
    • Default Quality Profiles:
      Sonar way
    • Covered Languages:
      C#, Java, PHP
    • Remediation Function:
      Constant/Issue
    • Constant Cost:
      30min
    • Analysis Level:
      Abstract Interpretation
    • Analysis Scope:
      Main Sources
    • Common Rule:
      Yes
    • CWE:
      CWE-117
    • OWASP:
      A1
    • SANS Top 25:
      Insecure Interaction Between Components

      Description

      User provided data, such as URL parameters, POST data payloads or cookies, should always be considered untrusted and tainted. Applications logging tainted data could enable an attacker to inject characters that would break the log file pattern. This could be used to block monitors and SIEM (Security Information and Event Management) systems from detecting other malicious events.

      This problem could be mitigated by sanitizing the user provided data before logging it.

      See

        Attachments

        1.
        Java RSPEC-5152 Language-Specification Active Unassigned
        2.
        C# RSPEC-5153 Language-Specification Active Unassigned
        3.
        PHP RSPEC-5154 Language-Specification Active Unassigned

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              lars.svensson Lars Svensson
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: