From 41d4d7c02fbda59d61e41aec2f171b406057dfbe Mon Sep 17 00:00:00 2001 From: Dominique RIGHETTO Date: Fri, 24 Oct 2025 15:26:57 +0200 Subject: [PATCH 1/5] Add files via upload --- .../java-logging-from-string-parameter.java | 37 +++++++++++++++++++ .../java-logging-from-string-parameter.yaml | 37 +++++++++++++++++++ 2 files changed, 74 insertions(+) create mode 100644 java/lang/security/audit/java-logging-from-string-parameter.java create mode 100644 java/lang/security/audit/java-logging-from-string-parameter.yaml diff --git a/java/lang/security/audit/java-logging-from-string-parameter.java b/java/lang/security/audit/java-logging-from-string-parameter.java new file mode 100644 index 0000000000..e6c72adcd9 --- /dev/null +++ b/java/lang/security/audit/java-logging-from-string-parameter.java @@ -0,0 +1,37 @@ +package com.test; + +import org.slf4j.LoggerFactory; +import org.slf4j.Logger; + +public class Cases { + + private static final Logger logger = LoggerFactory.getLogger(Cases.class); + + public void case1(String param, long x) { + //ruleid: java-logging-from-string-parameter + logger.trace("Msg {}",param); + //ruleid: java-logging-from-string-parameter + logger.debug("Msg {}",param); + //ruleid: java-logging-from-string-parameter + logger.info("Msg {}",param); + //ruleid: java-logging-from-string-parameter + logger.warn("Msg {}",param); + //ruleid: java-logging-from-string-parameter + logger.error("Msg {}",param); + } + + public void case2(String param, long x) { + String param_clean = param.replace("<","").replace(">",""); + param_clean = param_clean.replace("\n",""); + //ok: java-logging-from-string-parameter + logger.trace("Msg {}",param_clean); + //ok: java-logging-from-string-parameter + logger.debug("Msg {}",param_clean); + //ok: java-logging-from-string-parameter + logger.info("Msg {}",param_clean); + //ok: java-logging-from-string-parameter + logger.warn("Msg {}",param_clean); + //ok: java-logging-from-string-parameter + logger.error("Msg {}",param_clean); + } +} \ No newline at end of file diff --git a/java/lang/security/audit/java-logging-from-string-parameter.yaml b/java/lang/security/audit/java-logging-from-string-parameter.yaml new file mode 100644 index 0000000000..1983ab6029 --- /dev/null +++ b/java/lang/security/audit/java-logging-from-string-parameter.yaml @@ -0,0 +1,37 @@ +rules: + - id: java-logging-from-string-parameter + languages: + - java + severity: WARNING + message: An unsanitized String method parameter is used as an argument to a logger call, which could lead to a log injection vulnerability. + patterns: + - pattern-inside: | + $TYPE $METHOD(..., String $PARAM, ...) { + ... + } + - pattern: $LOGGER.$LEVEL($FORMAT_STRING, $PARAM, ...) + metavariable-regex: + $LEVEL: 'trace|debug|info|warn|error' + fix: Ensure that a validation is in place prior to use a user-controller information to create a log event. + paths: + include: + - "**/*.java" + metadata: + category: security + owasp: + - A03:2021 Injection + technology: + - java + references: + - https://capec.mitre.org/data/definitions/93.html + - https://vulncat.fortify.com/en/weakness?q=log%20forging + - https://learn.snyk.io/lesson/logging-vulnerabilities/?ecosystem=java + - https://owasp.org/www-project-java-encoder/ + - https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html + cwe: + - "CWE-117: Improper Output Neutralization for Logs" + likelihood: LOW + impact: LOW + confidence: LOW + subcategory: + - audit From 883c67c43851f7de1dc5ac1f07e8b19fdc6eb421 Mon Sep 17 00:00:00 2001 From: Dominique RIGHETTO Date: Fri, 24 Oct 2025 15:57:27 +0200 Subject: [PATCH 2/5] Fix unsupported property --- .../java-logging-from-string-parameter.yaml | 21 ++++++++++++------- 1 file changed, 13 insertions(+), 8 deletions(-) diff --git a/java/lang/security/audit/java-logging-from-string-parameter.yaml b/java/lang/security/audit/java-logging-from-string-parameter.yaml index 1983ab6029..a6edbfced5 100644 --- a/java/lang/security/audit/java-logging-from-string-parameter.yaml +++ b/java/lang/security/audit/java-logging-from-string-parameter.yaml @@ -3,16 +3,21 @@ rules: languages: - java severity: WARNING - message: An unsanitized String method parameter is used as an argument to a logger call, which could lead to a log injection vulnerability. + message: An unsanitized String method parameter is used as an argument to a + logger call, which could lead to a log injection vulnerability. patterns: - pattern-inside: | - $TYPE $METHOD(..., String $PARAM, ...) { - ... - } - - pattern: $LOGGER.$LEVEL($FORMAT_STRING, $PARAM, ...) - metavariable-regex: - $LEVEL: 'trace|debug|info|warn|error' - fix: Ensure that a validation is in place prior to use a user-controller information to create a log event. + $TYPE $METHOD(..., String $PARAM, ...) { + ... + } + - pattern-either: + - pattern: $LOGGER.trace($FORMAT_STRING, $PARAM, ...) + - pattern: $LOGGER.debug($FORMAT_STRING, $PARAM, ...) + - pattern: $LOGGER.info($FORMAT_STRING, $PARAM, ...) + - pattern: $LOGGER.warn($FORMAT_STRING, $PARAM, ...) + - pattern: $LOGGER.error($FORMAT_STRING, $PARAM, ...) + fix: Ensure that a validation is in place prior to use a user-controller + information to create a log event. paths: include: - "**/*.java" From 67eb9380ef7c3d19780cb17c17b58805b635b8b7 Mon Sep 17 00:00:00 2001 From: Dominique RIGHETTO Date: Fri, 24 Oct 2025 16:06:40 +0200 Subject: [PATCH 3/5] Fix formatting errors. --- .../audit/java-logging-from-string-parameter.yaml | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/java/lang/security/audit/java-logging-from-string-parameter.yaml b/java/lang/security/audit/java-logging-from-string-parameter.yaml index a6edbfced5..0089070e5d 100644 --- a/java/lang/security/audit/java-logging-from-string-parameter.yaml +++ b/java/lang/security/audit/java-logging-from-string-parameter.yaml @@ -3,21 +3,19 @@ rules: languages: - java severity: WARNING - message: An unsanitized String method parameter is used as an argument to a - logger call, which could lead to a log injection vulnerability. + message: An unsanitized String method parameter is used as an argument to a logger call, which could lead to a log injection vulnerability. patterns: - pattern-inside: | $TYPE $METHOD(..., String $PARAM, ...) { ... } - - pattern-either: + - pattern-either: - pattern: $LOGGER.trace($FORMAT_STRING, $PARAM, ...) - pattern: $LOGGER.debug($FORMAT_STRING, $PARAM, ...) - pattern: $LOGGER.info($FORMAT_STRING, $PARAM, ...) - pattern: $LOGGER.warn($FORMAT_STRING, $PARAM, ...) - pattern: $LOGGER.error($FORMAT_STRING, $PARAM, ...) - fix: Ensure that a validation is in place prior to use a user-controller - information to create a log event. + fix: Ensure that a validation is in place prior to use a user-controller information to create a log event. paths: include: - "**/*.java" From 2fe92c582cdd8fdd741e2c3be5fcc55c10e20f0f Mon Sep 17 00:00:00 2001 From: Dominique RIGHETTO Date: Tue, 4 Nov 2025 18:22:13 +0100 Subject: [PATCH 4/5] Add limitation to web controller methods --- .../security/audit/java-logging-from-string-parameter.yaml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/java/lang/security/audit/java-logging-from-string-parameter.yaml b/java/lang/security/audit/java-logging-from-string-parameter.yaml index 0089070e5d..58561483bf 100644 --- a/java/lang/security/audit/java-logging-from-string-parameter.yaml +++ b/java/lang/security/audit/java-logging-from-string-parameter.yaml @@ -3,12 +3,16 @@ rules: languages: - java severity: WARNING - message: An unsanitized String method parameter is used as an argument to a logger call, which could lead to a log injection vulnerability. + message: An unsanitized string parameter is passed to a web controller method and subsequently used in a logger call, which could lead to a log injection vulnerability. patterns: - pattern-inside: | + @$ANNO(...) $TYPE $METHOD(..., String $PARAM, ...) { ... } + - metavariable-pattern: + metavariable: $ANNO + pattern-regex: "(GetMapping|PostMapping|PutMapping|DeleteMapping|PatchMapping|RequestMapping|GET|POST|PUT|DELETE|PATCH|HEAD|OPTIONS|WebMethod)" - pattern-either: - pattern: $LOGGER.trace($FORMAT_STRING, $PARAM, ...) - pattern: $LOGGER.debug($FORMAT_STRING, $PARAM, ...) From 4cd01add2127463ced9fd52ea357a5c4591fa36a Mon Sep 17 00:00:00 2001 From: Dominique RIGHETTO Date: Tue, 4 Nov 2025 18:22:36 +0100 Subject: [PATCH 5/5] Add limitation to web controller methods --- .../java-logging-from-string-parameter.java | 21 ++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/java/lang/security/audit/java-logging-from-string-parameter.java b/java/lang/security/audit/java-logging-from-string-parameter.java index e6c72adcd9..924989645a 100644 --- a/java/lang/security/audit/java-logging-from-string-parameter.java +++ b/java/lang/security/audit/java-logging-from-string-parameter.java @@ -1,12 +1,13 @@ package com.test; -import org.slf4j.LoggerFactory; -import org.slf4j.Logger; +import org.slf4j.*; +import org.springframework.web.bind.annotation.*; public class Cases { private static final Logger logger = LoggerFactory.getLogger(Cases.class); + @GetMapping public void case1(String param, long x) { //ruleid: java-logging-from-string-parameter logger.trace("Msg {}",param); @@ -20,6 +21,7 @@ public void case1(String param, long x) { logger.error("Msg {}",param); } + @PostMapping public void case2(String param, long x) { String param_clean = param.replace("<","").replace(">",""); param_clean = param_clean.replace("\n",""); @@ -34,4 +36,17 @@ public void case2(String param, long x) { //ok: java-logging-from-string-parameter logger.error("Msg {}",param_clean); } -} \ No newline at end of file + + public void case3(String param, long x) { + //ok: java-logging-from-string-parameter + logger.trace("Msg {}",param); + //ok: java-logging-from-string-parameter + logger.debug("Msg {}",param); + //ok: java-logging-from-string-parameter + logger.info("Msg {}",param); + //ok: java-logging-from-string-parameter + logger.warn("Msg {}",param); + //ok: java-logging-from-string-parameter + logger.error("Msg {}",param); + } +}