Below we share the threat model specific to log4net.
When using a log message containing template parameters like {0}
, only the format string is evaluated for parameters to be substituted.
The message parameters themselves are not evaluated for parameters; they are only included in the format string corresponding to their template position.
The conversion of message parameters into a string is done on-demand depending on the layout being used.
When structure-preserving transformations of log data are required, a structured layout (e.g., XmlLayout
) should be used.
Format strings should be compile-time constants, and under no circumstances should format strings be built using user-controlled input data.
When using an unstructured layout such as PatternLayout
, no guarantees can be made about the output format.
This layout is mainly useful for development purposes and should not be relied on in production applications.
For example, if a log message contains new lines, these are not escaped or encoded.
As such, when using unstructured layouts, no user-controlled input should be included in logs.
It is strongly recommended that a structured layout (e.g., XmlLayout
) is used instead for these situations.
When using a structured layout (most layouts besides pattern layout), log messages are encoded according to various output formats.
These safely encode the various fields included in a log message.
For example, the XmlLayout
can be used to output log messages in an XML structure where all log data is properly encoded into safely parseable XML.
This is the recommended mode of operation for use with log parsing and log collection tools that rely on log files or arbitrary output streams.
Log4Net, like any other generic logging library, cannot generically support log masking of sensitive data. While custom plugins may be developed to attempt to mask various regular expressions (such as a string that looks like a credit card number), the general problem of log masking is equivalent to the halting problem in computer science where sensitive data can always be obfuscated in such a way as to avoid detection by log masking. As such, it is the responsibility of the developer to properly demarcate sensitive data such that it can be consistently masked by log masking plugins.
Log4Net goes to great lengths to minimize performance overhead along with options for minimizing latency or maximizing throughput. However, we cannot guarantee availability of the application if the appenders cannot keep up with the logs being written. Logging can cause applications to block and wait for a log message to be written.