From d31d721244683227dc3f7e74de679e62b09e922c Mon Sep 17 00:00:00 2001 From: August Date: Wed, 21 Mar 2018 09:17:44 -0700 Subject: [PATCH 1/5] Update log4J2 version to 2.8.2 Fix for CVE-2017-5645. See #35 --- owasp-security-logging-log4j/pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/owasp-security-logging-log4j/pom.xml b/owasp-security-logging-log4j/pom.xml index 129fdba..4dcd789 100644 --- a/owasp-security-logging-log4j/pom.xml +++ b/owasp-security-logging-log4j/pom.xml @@ -31,7 +31,7 @@ https://github.com/javabeanz/owasp-security-logging - 2.2 + 2.8.2 From eb5792005cf74ea8f61adb4e5d834f623372a582 Mon Sep 17 00:00:00 2001 From: August Date: Wed, 21 Mar 2018 09:23:37 -0700 Subject: [PATCH 2/5] Update tests to work with new Log4J version See #35 --- .../logging/log4j/Log4JMarkerConverter.java | 39 +++++++++++++++++++ .../ExcludeClassifiedMarkerFilterTest.java | 5 +-- .../security/logging/log4j/PureLog4jTest.java | 5 +-- .../log4j/SecurityMarkerFilterTest.java | 5 +-- .../logging/log4j/mask/CRLFConverterTest.java | 5 +-- .../log4j/mask/MaskingRewritePolicyTest.java | 34 +++++++++------- 6 files changed, 67 insertions(+), 26 deletions(-) create mode 100644 owasp-security-logging-log4j/src/main/java/org/owasp/security/logging/log4j/Log4JMarkerConverter.java diff --git a/owasp-security-logging-log4j/src/main/java/org/owasp/security/logging/log4j/Log4JMarkerConverter.java b/owasp-security-logging-log4j/src/main/java/org/owasp/security/logging/log4j/Log4JMarkerConverter.java new file mode 100644 index 0000000..6996790 --- /dev/null +++ b/owasp-security-logging-log4j/src/main/java/org/owasp/security/logging/log4j/Log4JMarkerConverter.java @@ -0,0 +1,39 @@ +/* + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.owasp.security.logging.log4j; + +import java.util.Iterator; +import org.apache.logging.log4j.Marker; +import org.apache.logging.log4j.MarkerManager; + +/** + * + * @author August Detlefsen [augustd@codemagi.com] + */ +public class Log4JMarkerConverter { + + public static Marker convertMarker(org.slf4j.Marker input) { + Marker output = MarkerManager.getMarker(input.getName()); + + if (input.hasReferences()) { + Iterator i = input.iterator(); + while (i.hasNext()) { + org.slf4j.Marker ref = (org.slf4j.Marker)i.next(); + output.addParents(convertMarker(ref)); + } + } + return output; + } + +} diff --git a/owasp-security-logging-log4j/src/test/java/org/owasp/security/logging/log4j/ExcludeClassifiedMarkerFilterTest.java b/owasp-security-logging-log4j/src/test/java/org/owasp/security/logging/log4j/ExcludeClassifiedMarkerFilterTest.java index f3545e4..d8ea01e 100644 --- a/owasp-security-logging-log4j/src/test/java/org/owasp/security/logging/log4j/ExcludeClassifiedMarkerFilterTest.java +++ b/owasp-security-logging-log4j/src/test/java/org/owasp/security/logging/log4j/ExcludeClassifiedMarkerFilterTest.java @@ -18,7 +18,7 @@ import org.apache.logging.log4j.core.Filter; import org.apache.logging.log4j.core.LogEvent; -import org.apache.logging.log4j.junit.InitialLoggerContext; +import org.apache.logging.log4j.junit.LoggerContextRule; import org.apache.logging.log4j.test.appender.ListAppender; import org.junit.After; import org.junit.Before; @@ -40,8 +40,7 @@ public class ExcludeClassifiedMarkerFilterTest { .getLogger(ExcludeClassifiedMarkerFilterTest.class); @ClassRule - public static InitialLoggerContext context = new InitialLoggerContext( - CONFIG); + public static LoggerContextRule context = new LoggerContextRule(CONFIG); ListAppender appender; diff --git a/owasp-security-logging-log4j/src/test/java/org/owasp/security/logging/log4j/PureLog4jTest.java b/owasp-security-logging-log4j/src/test/java/org/owasp/security/logging/log4j/PureLog4jTest.java index f265869..535839d 100644 --- a/owasp-security-logging-log4j/src/test/java/org/owasp/security/logging/log4j/PureLog4jTest.java +++ b/owasp-security-logging-log4j/src/test/java/org/owasp/security/logging/log4j/PureLog4jTest.java @@ -18,7 +18,7 @@ import org.apache.logging.log4j.core.Filter; import org.apache.logging.log4j.core.LogEvent; -import org.apache.logging.log4j.junit.InitialLoggerContext; +import org.apache.logging.log4j.junit.LoggerContextRule; import org.apache.logging.log4j.test.appender.ListAppender; import org.junit.After; import org.junit.Before; @@ -39,8 +39,7 @@ public class PureLog4jTest { .getLogger(PureLog4jTest.class); @ClassRule - public static InitialLoggerContext context = new InitialLoggerContext( - CONFIG); + public static LoggerContextRule context = new LoggerContextRule(CONFIG); ListAppender appender; diff --git a/owasp-security-logging-log4j/src/test/java/org/owasp/security/logging/log4j/SecurityMarkerFilterTest.java b/owasp-security-logging-log4j/src/test/java/org/owasp/security/logging/log4j/SecurityMarkerFilterTest.java index 94599d9..ef78307 100644 --- a/owasp-security-logging-log4j/src/test/java/org/owasp/security/logging/log4j/SecurityMarkerFilterTest.java +++ b/owasp-security-logging-log4j/src/test/java/org/owasp/security/logging/log4j/SecurityMarkerFilterTest.java @@ -19,7 +19,7 @@ import org.apache.logging.log4j.core.Filter; import org.apache.logging.log4j.core.LogEvent; -import org.apache.logging.log4j.junit.InitialLoggerContext; +import org.apache.logging.log4j.junit.LoggerContextRule; import org.apache.logging.log4j.test.appender.ListAppender; import org.junit.After; import org.junit.Before; @@ -42,8 +42,7 @@ public class SecurityMarkerFilterTest { .getLogger(SecurityMarkerFilterTest.class); @ClassRule - public static InitialLoggerContext context = new InitialLoggerContext( - CONFIG); + public static LoggerContextRule context = new LoggerContextRule(CONFIG); ListAppender appender; diff --git a/owasp-security-logging-log4j/src/test/java/org/owasp/security/logging/log4j/mask/CRLFConverterTest.java b/owasp-security-logging-log4j/src/test/java/org/owasp/security/logging/log4j/mask/CRLFConverterTest.java index 9740265..096fa74 100644 --- a/owasp-security-logging-log4j/src/test/java/org/owasp/security/logging/log4j/mask/CRLFConverterTest.java +++ b/owasp-security-logging-log4j/src/test/java/org/owasp/security/logging/log4j/mask/CRLFConverterTest.java @@ -17,7 +17,7 @@ import org.apache.logging.log4j.core.LogEvent; import org.apache.logging.log4j.core.pattern.EncodingPatternConverter; -import org.apache.logging.log4j.junit.InitialLoggerContext; +import org.apache.logging.log4j.junit.LoggerContextRule; import org.apache.logging.log4j.test.appender.ListAppender; import org.junit.After; import org.junit.Before; @@ -39,8 +39,7 @@ public class CRLFConverterTest { private static final String CONFIG = "log4j2.xml"; @ClassRule - public static InitialLoggerContext context = new InitialLoggerContext( - CONFIG); + public static final LoggerContextRule context = new LoggerContextRule(CONFIG); private static final org.slf4j.Logger LOGGER = LoggerFactory .getLogger(CRLFConverterTest.class); diff --git a/owasp-security-logging-log4j/src/test/java/org/owasp/security/logging/log4j/mask/MaskingRewritePolicyTest.java b/owasp-security-logging-log4j/src/test/java/org/owasp/security/logging/log4j/mask/MaskingRewritePolicyTest.java index 520c816..1c9e142 100644 --- a/owasp-security-logging-log4j/src/test/java/org/owasp/security/logging/log4j/mask/MaskingRewritePolicyTest.java +++ b/owasp-security-logging-log4j/src/test/java/org/owasp/security/logging/log4j/mask/MaskingRewritePolicyTest.java @@ -3,19 +3,22 @@ import junit.framework.TestCase; import org.apache.logging.log4j.Level; -import org.apache.logging.log4j.Marker; +import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; import org.apache.logging.log4j.MarkerManager; import org.apache.logging.log4j.core.LogEvent; import org.apache.logging.log4j.core.impl.Log4jLogEvent; import org.apache.logging.log4j.core.impl.Log4jLogEvent.Builder; -import org.apache.logging.log4j.junit.InitialLoggerContext; +import org.apache.logging.log4j.junit.LoggerContextRule; import org.apache.logging.log4j.message.Message; import org.apache.logging.log4j.message.ParameterizedMessage; +import org.apache.logging.log4j.message.ParameterizedMessageFactory; import org.apache.logging.log4j.message.SimpleMessage; import org.apache.logging.log4j.test.appender.ListAppender; import org.junit.After; import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertNotSame; +import static org.junit.Assert.assertNull; import static org.junit.Assert.assertTrue; import org.junit.Before; import org.junit.ClassRule; @@ -23,7 +26,9 @@ import org.junit.Test; import org.junit.runners.MethodSorters; import org.owasp.security.logging.SecurityMarkers; +import org.owasp.security.logging.log4j.Log4JMarkerConverter; import org.slf4j.LoggerFactory; +import org.slf4j.Marker; /** * The class MaskingRewritePolicyTest contains tests for the class @@ -41,19 +46,17 @@ public class MaskingRewritePolicyTest { private static final String CONFIG = "log4j2.xml"; - private static final org.slf4j.Logger LOGGER = LoggerFactory - .getLogger(MaskingRewritePolicyTest.class); - private static final String SSN = "123-45-6789"; @ClassRule - public static InitialLoggerContext context = new InitialLoggerContext(CONFIG); + public static LoggerContextRule context = new LoggerContextRule(CONFIG); + Logger LOGGER; ListAppender appender; @Before public void setUp() { - System.out.println("CONTEXT: " + context); + LOGGER = LogManager.getLogger(MaskingRewritePolicyTest.class, new ParameterizedMessageFactory()); appender = context.getListAppender("List"); } @@ -65,10 +68,12 @@ public void tearDown() { @Test public void testRewriteMultiMarker() { System.out.println("running testRewriteMultiMarker()"); - org.slf4j.Marker multiMarker = SecurityMarkers.getMarker(SecurityMarkers.CONFIDENTIAL, SecurityMarkers.SECURITY_FAILURE); + + //get multi marker + Marker multiMarker = SecurityMarkers.getMarker(SecurityMarkers.CONFIDENTIAL, SecurityMarkers.SECURITY_FAILURE); // test a logging event with the multi-marker - LOGGER.info(multiMarker, "ssn={}", SSN); + LOGGER.info(Log4JMarkerConverter.convertMarker(multiMarker), "ssn={}", SSN); LogEvent failEvent = appender.getEvents().get(0); Message message = failEvent.getMessage(); @@ -84,7 +89,7 @@ public void testRewriteConfidentialWithParams() { System.out.println("running testRewriteConfidentialWithParams()"); // test a logging event with the CONFIDENTIAL marker - LOGGER.info(SecurityMarkers.CONFIDENTIAL, "ssn={}", SSN); + LOGGER.info(Log4JMarkerConverter.convertMarker(SecurityMarkers.CONFIDENTIAL), "ssn={}", SSN); LogEvent failEvent = appender.getEvents().get(0); Message message = failEvent.getMessage(); @@ -101,7 +106,7 @@ public void testRewriteConfidentialNoParams() { System.out.println("running testRewriteConfidentialNoParams()"); // test a logging event with the CONFIDENTIAL marker - LOGGER.info(SecurityMarkers.CONFIDENTIAL, "ssn=" + SSN); + LOGGER.info(Log4JMarkerConverter.convertMarker(SecurityMarkers.CONFIDENTIAL), "ssn=" + SSN); LogEvent failEvent = appender.getEvents().get(0); Message message = failEvent.getMessage(); @@ -118,7 +123,7 @@ public void testRewriteNotConfidential() { System.out.println("running testRewriteSingleMarker()"); // test a logging event with the CONFIDENTIAL marker - LOGGER.info(SecurityMarkers.SECURITY_SUCCESS, "ssn={}", SSN); + LOGGER.info(Log4JMarkerConverter.convertMarker(SecurityMarkers.SECURITY_SUCCESS), "ssn={}", SSN); LogEvent failEvent = appender.getEvents().get(0); Message message = failEvent.getMessage(); @@ -144,11 +149,12 @@ public void testRewriteConfidentialNoMessage() { System.out.println("running testRewriteConfidentialNoMessage()"); // test a logging event with null marker - LOGGER.info(null); + String nullString = null; + LOGGER.info(nullString); LogEvent failEvent = appender.getEvents().get(0); Message message = failEvent.getMessage(); System.out.println("Formatted message: " + message.getFormattedMessage()); - assertTrue(message.getFormattedMessage() == null); + assertEquals(message.getFormattedMessage(), "null"); } } From 7b0c10a5f518b3d00581fad56e76de2c101444bd Mon Sep 17 00:00:00 2001 From: August Date: Wed, 21 Mar 2018 09:24:12 -0700 Subject: [PATCH 3/5] Add converter for SLF4J to Log4J Markers See #35 --- .../logging/log4j/mask/MaskingRewritePolicy.java | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/owasp-security-logging-log4j/src/main/java/org/owasp/security/logging/log4j/mask/MaskingRewritePolicy.java b/owasp-security-logging-log4j/src/main/java/org/owasp/security/logging/log4j/mask/MaskingRewritePolicy.java index f513531..c835a73 100644 --- a/owasp-security-logging-log4j/src/main/java/org/owasp/security/logging/log4j/mask/MaskingRewritePolicy.java +++ b/owasp-security-logging-log4j/src/main/java/org/owasp/security/logging/log4j/mask/MaskingRewritePolicy.java @@ -75,14 +75,15 @@ public LogEvent rewrite(LogEvent source) { for (int i = 0; i < params.length; i++) { params[i] = MASKED_PASSWORD; } + + // create new message Message outMessage = new ParameterizedMessage(msg.getFormat(), params, msg.getThrowable()); - LogEvent output = new Log4jLogEvent(source.getLoggerName(), - source.getMarker(), source.getLoggerFqcn(), source.getLevel(), - outMessage, source.getThrown(), source.getContextMap(), - source.getContextStack(), source.getThreadName(), - source.getSource(), source.getTimeMillis()); + // build new log event for output + LogEvent output = new Log4jLogEvent.Builder(source) + .setMessage(outMessage).build(); + return output; } From ea81ad631a906e3bbdf6123e31ba253fa622fc4f Mon Sep 17 00:00:00 2001 From: August Date: Wed, 21 Mar 2018 09:28:33 -0700 Subject: [PATCH 4/5] Code cleanup --- .../log4j/mask/MaskingRewritePolicy.java | 35 +-- .../security/logging/log4j/PureLog4jTest.java | 11 +- .../logging/log4j/mask/CRLFConverterTest.java | 2 +- .../log4j/mask/MaskingRewritePolicyTest.java | 214 +++++++++--------- 4 files changed, 123 insertions(+), 139 deletions(-) diff --git a/owasp-security-logging-log4j/src/main/java/org/owasp/security/logging/log4j/mask/MaskingRewritePolicy.java b/owasp-security-logging-log4j/src/main/java/org/owasp/security/logging/log4j/mask/MaskingRewritePolicy.java index c835a73..ebdbfc0 100644 --- a/owasp-security-logging-log4j/src/main/java/org/owasp/security/logging/log4j/mask/MaskingRewritePolicy.java +++ b/owasp-security-logging-log4j/src/main/java/org/owasp/security/logging/log4j/mask/MaskingRewritePolicy.java @@ -32,50 +32,53 @@ public class MaskingRewritePolicy implements RewritePolicy { public static final Object MASKED_PASSWORD = "********"; - - @PluginFactory - public static MaskingRewritePolicy createPolicy() { - return new MaskingRewritePolicy(); - } + + @PluginFactory + public static MaskingRewritePolicy createPolicy() { + return new MaskingRewritePolicy(); + } /** * Rewrite the event. - * - * @param source - * a logging event that may be returned or used to create a new - * logging event. + * + * @param source a logging event that may be returned or used to create a + * new logging event. * @return The LogEvent after rewriting. */ - @Override + @Override public LogEvent rewrite(LogEvent source) { // get the markers for the log event. If no markers, nothing can be // tagged confidential and we can return Marker sourceMarker = source.getMarker(); - if (sourceMarker == null) + if (sourceMarker == null) { return source; + } // get the message. If no message we can return final Message msg = source.getMessage(); - if (msg == null || !(msg instanceof ParameterizedMessage)) + if (msg == null || !(msg instanceof ParameterizedMessage)) { return source; + } // get the parameters. If no params we can return Object[] params = msg.getParameters(); - if (params == null || params.length == 0) + if (params == null || params.length == 0) { return source; + } // check if this event is actually marked as confidential. If not, // return Log4jMarker eventMarker = new Log4jMarker(sourceMarker); - if (!eventMarker.contains(SecurityMarkers.CONFIDENTIAL)) + if (!eventMarker.contains(SecurityMarkers.CONFIDENTIAL)) { return source; + } // we have a message, parameters, a marker, and it is confidential. // Process for (int i = 0; i < params.length; i++) { params[i] = MASKED_PASSWORD; } - + // create new message Message outMessage = new ParameterizedMessage(msg.getFormat(), params, msg.getThrowable()); @@ -83,7 +86,7 @@ public LogEvent rewrite(LogEvent source) { // build new log event for output LogEvent output = new Log4jLogEvent.Builder(source) .setMessage(outMessage).build(); - + return output; } diff --git a/owasp-security-logging-log4j/src/test/java/org/owasp/security/logging/log4j/PureLog4jTest.java b/owasp-security-logging-log4j/src/test/java/org/owasp/security/logging/log4j/PureLog4jTest.java index 535839d..633c307 100644 --- a/owasp-security-logging-log4j/src/test/java/org/owasp/security/logging/log4j/PureLog4jTest.java +++ b/owasp-security-logging-log4j/src/test/java/org/owasp/security/logging/log4j/PureLog4jTest.java @@ -13,19 +13,12 @@ */ package org.owasp.security.logging.log4j; -import static org.junit.Assert.assertEquals; -import static org.junit.Assert.assertTrue; - -import org.apache.logging.log4j.core.Filter; -import org.apache.logging.log4j.core.LogEvent; import org.apache.logging.log4j.junit.LoggerContextRule; import org.apache.logging.log4j.test.appender.ListAppender; import org.junit.After; import org.junit.Before; import org.junit.ClassRule; import org.junit.Test; -import org.owasp.security.logging.SecurityMarkers; -import org.owasp.security.logging.log4j.filter.ExcludeClassifiedMarkerFilter; /** * @@ -62,7 +55,7 @@ public void test() { LOGGER.error("Monster!"); } - /* + /* @Test public void testRaw() { // create a new marker filter @@ -133,6 +126,6 @@ public void testRaw() { LogEvent multiSecurityEvent = appender.getEvents().get(9); assertEquals(Filter.Result.DENY, mkt.filter(multiSecurityEvent)); } - */ + */ } diff --git a/owasp-security-logging-log4j/src/test/java/org/owasp/security/logging/log4j/mask/CRLFConverterTest.java b/owasp-security-logging-log4j/src/test/java/org/owasp/security/logging/log4j/mask/CRLFConverterTest.java index 096fa74..24d389b 100644 --- a/owasp-security-logging-log4j/src/test/java/org/owasp/security/logging/log4j/mask/CRLFConverterTest.java +++ b/owasp-security-logging-log4j/src/test/java/org/owasp/security/logging/log4j/mask/CRLFConverterTest.java @@ -30,7 +30,7 @@ /** * Log4j already includes a converter to escape carriage returns and line feeds. * This test just verifies that it works as expected. - * + * * @author August Detlefsen [augustd@codemagi.com] */ @RunWith(MockitoJUnitRunner.class) diff --git a/owasp-security-logging-log4j/src/test/java/org/owasp/security/logging/log4j/mask/MaskingRewritePolicyTest.java b/owasp-security-logging-log4j/src/test/java/org/owasp/security/logging/log4j/mask/MaskingRewritePolicyTest.java index 1c9e142..fa74bc5 100644 --- a/owasp-security-logging-log4j/src/test/java/org/owasp/security/logging/log4j/mask/MaskingRewritePolicyTest.java +++ b/owasp-security-logging-log4j/src/test/java/org/owasp/security/logging/log4j/mask/MaskingRewritePolicyTest.java @@ -1,33 +1,20 @@ package org.owasp.security.logging.log4j.mask; -import junit.framework.TestCase; - -import org.apache.logging.log4j.Level; import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; -import org.apache.logging.log4j.MarkerManager; import org.apache.logging.log4j.core.LogEvent; -import org.apache.logging.log4j.core.impl.Log4jLogEvent; -import org.apache.logging.log4j.core.impl.Log4jLogEvent.Builder; import org.apache.logging.log4j.junit.LoggerContextRule; import org.apache.logging.log4j.message.Message; -import org.apache.logging.log4j.message.ParameterizedMessage; import org.apache.logging.log4j.message.ParameterizedMessageFactory; -import org.apache.logging.log4j.message.SimpleMessage; import org.apache.logging.log4j.test.appender.ListAppender; import org.junit.After; import static org.junit.Assert.assertEquals; -import static org.junit.Assert.assertNotSame; -import static org.junit.Assert.assertNull; import static org.junit.Assert.assertTrue; import org.junit.Before; import org.junit.ClassRule; -import org.junit.FixMethodOrder; import org.junit.Test; -import org.junit.runners.MethodSorters; import org.owasp.security.logging.SecurityMarkers; import org.owasp.security.logging.log4j.Log4JMarkerConverter; -import org.slf4j.LoggerFactory; import org.slf4j.Marker; /** @@ -42,119 +29,120 @@ * * @version $Revision$ */ -public class MaskingRewritePolicyTest { +public class MaskingRewritePolicyTest { private static final String CONFIG = "log4j2.xml"; - private static final String SSN = "123-45-6789"; + private static final String SSN = "123-45-6789"; @ClassRule public static LoggerContextRule context = new LoggerContextRule(CONFIG); - Logger LOGGER; + Logger LOGGER; ListAppender appender; @Before public void setUp() { - LOGGER = LogManager.getLogger(MaskingRewritePolicyTest.class, new ParameterizedMessageFactory()); - appender = context.getListAppender("List"); + LOGGER = LogManager.getLogger(MaskingRewritePolicyTest.class, new ParameterizedMessageFactory()); + appender = context.getListAppender("List"); + } + + @After + public void tearDown() { + appender.clear(); + } + + @Test + public void testRewriteMultiMarker() { + System.out.println("running testRewriteMultiMarker()"); + + //get multi marker + Marker multiMarker = SecurityMarkers.getMarker(SecurityMarkers.CONFIDENTIAL, SecurityMarkers.SECURITY_FAILURE); + + // test a logging event with the multi-marker + LOGGER.info(Log4JMarkerConverter.convertMarker(multiMarker), "ssn={}", SSN); + LogEvent failEvent = appender.getEvents().get(0); + Message message = failEvent.getMessage(); + + System.out.println("Formatted message: " + message.getFormattedMessage()); + assertTrue(message.getFormattedMessage().contains("ssn=" + MaskingRewritePolicy.MASKED_PASSWORD)); + } + + /** + * This test case has the CONFIDENTIAL marker so the results should be + * masked + */ + @Test + public void testRewriteConfidentialWithParams() { + System.out.println("running testRewriteConfidentialWithParams()"); + + // test a logging event with the CONFIDENTIAL marker + LOGGER.info(Log4JMarkerConverter.convertMarker(SecurityMarkers.CONFIDENTIAL), "ssn={}", SSN); + LogEvent failEvent = appender.getEvents().get(0); + Message message = failEvent.getMessage(); + + System.out.println("Formatted message: " + message.getFormattedMessage()); + assertTrue(message.getFormattedMessage().contains("ssn=" + MaskingRewritePolicy.MASKED_PASSWORD)); } - @After - public void tearDown() { - appender.clear(); - } - - @Test - public void testRewriteMultiMarker() { - System.out.println("running testRewriteMultiMarker()"); - - //get multi marker - Marker multiMarker = SecurityMarkers.getMarker(SecurityMarkers.CONFIDENTIAL, SecurityMarkers.SECURITY_FAILURE); - - // test a logging event with the multi-marker - LOGGER.info(Log4JMarkerConverter.convertMarker(multiMarker), "ssn={}", SSN); - LogEvent failEvent = appender.getEvents().get(0); - Message message = failEvent.getMessage(); - - System.out.println("Formatted message: " + message.getFormattedMessage()); - assertTrue(message.getFormattedMessage().contains("ssn=" + MaskingRewritePolicy.MASKED_PASSWORD)); - } - - /** - * This test case has the CONFIDENTIAL marker so the results should be masked - */ - @Test - public void testRewriteConfidentialWithParams() { - System.out.println("running testRewriteConfidentialWithParams()"); - - // test a logging event with the CONFIDENTIAL marker - LOGGER.info(Log4JMarkerConverter.convertMarker(SecurityMarkers.CONFIDENTIAL), "ssn={}", SSN); - LogEvent failEvent = appender.getEvents().get(0); - Message message = failEvent.getMessage(); - - System.out.println("Formatted message: " + message.getFormattedMessage()); - assertTrue(message.getFormattedMessage().contains("ssn=" + MaskingRewritePolicy.MASKED_PASSWORD)); - } - - /** - * This test case has the CONFIDENTIAL marker, but it is not parameterized - * so masking cannot take place. - */ - @Test - public void testRewriteConfidentialNoParams() { - System.out.println("running testRewriteConfidentialNoParams()"); - - // test a logging event with the CONFIDENTIAL marker - LOGGER.info(Log4JMarkerConverter.convertMarker(SecurityMarkers.CONFIDENTIAL), "ssn=" + SSN); - LogEvent failEvent = appender.getEvents().get(0); - Message message = failEvent.getMessage(); - - System.out.println("Formatted message: " + message.getFormattedMessage()); - assertTrue(message.getFormattedMessage().contains("ssn=" + SSN)); - } - - /** - * This test case is parameterized, but does not have the CONFIDENTIAL - * marker, so it should not be masked - */ - @Test - public void testRewriteNotConfidential() { - System.out.println("running testRewriteSingleMarker()"); - - // test a logging event with the CONFIDENTIAL marker - LOGGER.info(Log4JMarkerConverter.convertMarker(SecurityMarkers.SECURITY_SUCCESS), "ssn={}", SSN); - LogEvent failEvent = appender.getEvents().get(0); - Message message = failEvent.getMessage(); - - System.out.println("Formatted message: " + message.getFormattedMessage()); - assertTrue(message.getFormattedMessage().contains("ssn=" + SSN)); - } - - @Test - public void testRewriteNoMarker() { - System.out.println("running testRewriteNoMarker()"); - - // test a logging event with no marker - LOGGER.info("ssn={}", SSN); - LogEvent failEvent = appender.getEvents().get(0); - Message message = failEvent.getMessage(); - - System.out.println("Formatted message: " + message.getFormattedMessage()); - assertTrue(message.getFormattedMessage().contains("ssn=" + SSN)); - } - + /** + * This test case has the CONFIDENTIAL marker, but it is not parameterized + * so masking cannot take place. + */ @Test - public void testRewriteConfidentialNoMessage() { - System.out.println("running testRewriteConfidentialNoMessage()"); - - // test a logging event with null marker - String nullString = null; - LOGGER.info(nullString); - LogEvent failEvent = appender.getEvents().get(0); - Message message = failEvent.getMessage(); - - System.out.println("Formatted message: " + message.getFormattedMessage()); - assertEquals(message.getFormattedMessage(), "null"); + public void testRewriteConfidentialNoParams() { + System.out.println("running testRewriteConfidentialNoParams()"); + + // test a logging event with the CONFIDENTIAL marker + LOGGER.info(Log4JMarkerConverter.convertMarker(SecurityMarkers.CONFIDENTIAL), "ssn=" + SSN); + LogEvent failEvent = appender.getEvents().get(0); + Message message = failEvent.getMessage(); + + System.out.println("Formatted message: " + message.getFormattedMessage()); + assertTrue(message.getFormattedMessage().contains("ssn=" + SSN)); + } + + /** + * This test case is parameterized, but does not have the CONFIDENTIAL + * marker, so it should not be masked + */ + @Test + public void testRewriteNotConfidential() { + System.out.println("running testRewriteSingleMarker()"); + + // test a logging event with the CONFIDENTIAL marker + LOGGER.info(Log4JMarkerConverter.convertMarker(SecurityMarkers.SECURITY_SUCCESS), "ssn={}", SSN); + LogEvent failEvent = appender.getEvents().get(0); + Message message = failEvent.getMessage(); + + System.out.println("Formatted message: " + message.getFormattedMessage()); + assertTrue(message.getFormattedMessage().contains("ssn=" + SSN)); + } + + @Test + public void testRewriteNoMarker() { + System.out.println("running testRewriteNoMarker()"); + + // test a logging event with no marker + LOGGER.info("ssn={}", SSN); + LogEvent failEvent = appender.getEvents().get(0); + Message message = failEvent.getMessage(); + + System.out.println("Formatted message: " + message.getFormattedMessage()); + assertTrue(message.getFormattedMessage().contains("ssn=" + SSN)); + } + + @Test + public void testRewriteConfidentialNoMessage() { + System.out.println("running testRewriteConfidentialNoMessage()"); + + // test a logging event with null marker + String nullString = null; + LOGGER.info(nullString); + LogEvent failEvent = appender.getEvents().get(0); + Message message = failEvent.getMessage(); + + System.out.println("Formatted message: " + message.getFormattedMessage()); + assertEquals(message.getFormattedMessage(), "null"); } } From 0b5b7a94d8a6ca9f62ca3bdc84b53bd78e3b8c25 Mon Sep 17 00:00:00 2001 From: August Date: Wed, 21 Mar 2018 09:35:39 -0700 Subject: [PATCH 5/5] Update project version See #36 --- owasp-security-logging-common/pom.xml | 2 +- owasp-security-logging-log4j/pom.xml | 2 +- owasp-security-logging-logback/pom.xml | 2 +- pom.xml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/owasp-security-logging-common/pom.xml b/owasp-security-logging-common/pom.xml index 40cc1f3..c100ace 100644 --- a/owasp-security-logging-common/pom.xml +++ b/owasp-security-logging-common/pom.xml @@ -4,7 +4,7 @@ security-logging org.owasp - 1.1.5 + 1.1.6 ../pom.xml security-logging-common diff --git a/owasp-security-logging-log4j/pom.xml b/owasp-security-logging-log4j/pom.xml index 4dcd789..27f0616 100644 --- a/owasp-security-logging-log4j/pom.xml +++ b/owasp-security-logging-log4j/pom.xml @@ -4,7 +4,7 @@ security-logging org.owasp - 1.1.5 + 1.1.6 ../pom.xml security-logging-log4j diff --git a/owasp-security-logging-logback/pom.xml b/owasp-security-logging-logback/pom.xml index 5ea38ae..cf93363 100644 --- a/owasp-security-logging-logback/pom.xml +++ b/owasp-security-logging-logback/pom.xml @@ -4,7 +4,7 @@ security-logging org.owasp - 1.1.5 + 1.1.6 ../pom.xml security-logging-logback diff --git a/pom.xml b/pom.xml index 7e99ae2..e3dfc90 100644 --- a/pom.xml +++ b/pom.xml @@ -4,7 +4,7 @@ org.owasp security-logging - 1.1.5 + 1.1.6 pom OWASP Security Logging The OWASP Security Logging project provides developers and ops personnel with APIs for logging security-related events.