-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Java: Add line break sanitizers to java/log-injection #10707
Java: Add line break sanitizers to java/log-injection #10707
Conversation
For the regex checks, should this also consider |
At first glance I thought that Thanks @Marcono1234, good catches! Fixed in 93d898e. |
Hello, |
Hey @vlkl-sap, thanks for your comment. While we agree that arbitrarily written logs can cause all sort of injection problems in other applications that receive and process them, this query is scoped specifically for log forging in the same application (the threat model of which is consistent with considering new line removal as valid sanitization). We disregard the other attack vectors in this query because we think they should be handled by their own, specific queries with specific sinks (XSS, JNDI injection, SQLi, OS command execution, etc). Of course that would need modeling of log reads as local sources for those queries, but that’s another topic that could be handled separately. This approach not only would provide a better alert location for developers that need to fix the issue (it’s not realistic to expect validation/sanitization for all sorts of vulnerabilities at the log write, but rather where it’s read and used dangerously), but also allows us to better scope this query with specific sinks and sanitizers. If the threat model for a particular codebase or team requires treating any logged values from user input as a potential security vulnerability, then a custom query could be created using the sinks defined for this query without any sanitizers. |
Hi @atorralba! Thanks for your reply! I am wondering what exactly "log forging in the same application" means. Since applications typically do not read their own log files, log forging is almost always a problem for some entity outside of the application. An interesting exception is log4shell, where injecting non-newline characters into a log causes a problem in the application under analysis. This furthers the point that focusing on newline injection is rather limiting. I would also say that applications can and should try to protect other entities against a wide class of vulnerabilities by being careful of how they log things. |
@atorralba any sense of when this might get merged? :) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Handle more regex cases that cover line breaks
93d898e
to
f5702f5
Compare
DCA looks uneventful. Sorry @egregius313 your review got dismissed after a rebase. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
It just was :)
The sanitizers that were just merged will be published in the next release. Until then, I'm afraid the only way to make the alerts disappear is to not append user input to logs. We appreciate the feedback you gave us about this query. Based on that, we have plans to clarify the differences between log injection and log forging, where sanitizers (as well as precision and severity) may apply differently. This distinction will come in future PRs. |
Thanks again @atorralba ; we are now seeing this working in our GHE 3.8.2 instance. final Matcher matcher = PATTERN.matcher( input );
if( matcher.find() )
{
final String sanitized = matcher.replaceAll( REPLACEMENT );
LOG.warn( "possible log tampering input; replacing all '{}' in string: '{}'", PATTERN, sanitized );
return sanitized;
} |
Hey @jpcmonster, unfortunately it's hard to model all variations of how this vulnerability could get mitigated. You can see examples of what we consider vulnerable and what we consider safe in the query test.
Still, your example is common enough that we could consider supporting it. I'll take note of this potential improvement, thanks :) |
Hello, If I sanitize the user input using the following method, CodeQL is happy.
So, apparently, CodeQL has a rule to recognize the 2nd mitigation method but somehow it misses the sanitization provided via log4j2 encoding CRLF rule, which has the exact same functionality as the above escapeCRLF method. I like the 1st solution which is uniform throughout the code base, requiring no code change. So, I am wondering if you would know how to make CodeQL happy if I deploy the Log4j2 solution. Thanks in advance! |
Addresses #10702.
Note that this has two shortcomings that could become sources of FNs:
\n
or\r
instead of both.\n
or\r
and not matching[^%]
. This means something likematches("\n")
is considered a valid guard, when it isn't.