gitlab.find_sec_bugs.CRLF_INJECTION_LOGS-1

unknown
Download Count*
MIT
License

When data from an untrusted source is put into a logger and not neutralized correctly, an attacker could forge log entries or include malicious content. Inserted false entries could be used to skew statistics, distract the administrator or even to implicate another party in the commission of a malicious act. If the log file is processed automatically, the attacker can render the file unusable by corrupting the format of the file or injecting unexpected characters. An attacker may also inject code or other commands into the log file and take advantage of a vulnerability in the log processing utility (e.g. command injection or XSS).

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: find_sec_bugs.CRLF_INJECTION_LOGS-1
    patterns:
      - pattern-either:
          - pattern: |
              $TAINTED = (HttpServletRequest $REQ).getParameter(...);
              ...
              $LOGGER.$METHOD(...,$TAINTED,...);
          - pattern: |
              $TAINTED = (HttpServletRequest $REQ).getParameter(...);
              ...
              $VAR = String.Format(..., $TAINTED,...);
              ...
              $LOGGER.$METHOD(...,$VAR,...);
          - pattern: |
              $TAINTED = (HttpServletRequest $REQ).getParameter(...);
              ...
              $LOGGER.$METHOD(...,String.Format(..., $TAINTED,...),...);
          - pattern: |
              $TAINTED = (HttpServletRequest $REQ).getParameter(...);
              ...
              $VAR = ... + $TAINTED + ...;
              ...
              $LOGGER.$METHOD(...,$VAR,...);
          - pattern: |
              $TAINTED = (HttpServletRequest $REQ).getParameter(...);
              ...
              $LOGGER.$METHOD(...,... + $TAINTED + ...,...);
      - metavariable-regex:
          metavariable: $METHOD
          regex: (log|logp|logrb|entering|exiting|fine|finer|finest|info|debug|trace|warn|warning|config|error|severe)
      - metavariable-pattern:
          metavariable: $LOGGER
          pattern-either:
            - pattern: (Logger $LOG)
            - pattern: org.pmw.tinylog.Logger
            - pattern: org.apache.log4j.Logger
            - pattern: org.apache.logging.log4j.Logger
            - pattern: org.slf4j.Logger
            - pattern: org.apache.commons.logging.Log
            - pattern: java.util.logging.Logger
    message: >
      When data from an untrusted source is put into a logger and not
      neutralized correctly, an

      attacker could forge log entries or include malicious content. Inserted false entries could be

      used to skew statistics, distract the administrator or even to implicate another party in the

      commission of a malicious act. If the log file is processed automatically, the attacker can

      render the file unusable by corrupting the format of the file or injecting unexpected

      characters. An attacker may also inject code or other commands into the log file and take

      advantage of a vulnerability in the log processing utility (e.g. command injection or XSS).
    languages:
      - java
    severity: ERROR
    metadata:
      category: security
      cwe: "CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')"
      technology:
        - java
      primary_identifier: find_sec_bugs.CRLF_INJECTION_LOGS-1
      secondary_identifiers:
        - name: Find Security Bugs-CRLF_INJECTION_LOGS
          type: find_sec_bugs_type
          value: CRLF_INJECTION_LOGS
      license: MIT