UUID should not be able to cause log-injection

[Sarastro72]

I am getting a false positive for a log-injection in the following code snippet. It has been slightly simplified from the actual codebase but the important bits are the same.

    public ImageUploadResponse uploadImageFile(
         @PathParam("organizationUuid") UUID organizationUuid,
         UploadRequest body
    ) {
        try {
                // Do something
            } catch (Exception e) {
                LOG.info("Unable to upload file for organization={}", organizationUuid);
                throw new BadRequestException("Image format not supported");
            }
    }

In the above example organizationUuid is marked as unsafe, but I fail to see how a UUID can cause a log-injection issue. Am I missing something?

[hvitved]

@github/codeql-java: A question for you.

[atorralba]

Hey @Sarastro72, thanks for the report!

This is indeed a false positive, but not something specific to log injection: in general, our data flow queries don't restrict sources by type at this level because there are many types that cannot realistically carry taint, but also there are many that can — so adding a type-by-type exception doesn't seem to scale very well, but doing something like "accept only String sources" obviously would introduce false negatives.

Nevertheless, we agree this could be improved, so we've tracked it in an internal issue and will address it generally once we decide on a proper solution.

[Sarastro72]

I completely understand this complexity. In my world the UUID Object is a very common one. One suggestion could be to have a limited whitelist of "standard" types that seem to be used a lot. But I could understand if you think maintaining such a list would be more hassle than what it's worth.

[atorralba]

If it helps, until we provide an official solution, and if you're working with CodeQL rather than just with Code Scanning, you can always create a subclass of LogInjectionSanitizer in Customizations.qll that matches the UUID type in your scans. So, something like:

private class UuidLogInjectionSanitizer extends LogInjectionSanitizer {
  UuidLogInjectionSanitizer() { this.getType().(RefType).hasQualifiedName("java.util", "UUID") }
}

You could technically do the same in code scanning, but you'd need to create a copy of LogInjection.ql, add the sanitizer to it, disable the default log injection query, and finally enable your custom version.

If you're interested in this approach, you can find more information here:

• Specifying additional queries
• Disabling the default queries