Solution: Improper Output Neutralization For Logs (CWE ID 117)

Today we will give the solution for Improper Output Neutralization For Logs (CWE ID 117) which is one of the things that Veracode shows to fix the CRLF Injection.

Why it Occured as Per Veracode documentation

 A function call could result in a log forging attack. Writing untrusted data into a log file allows an attacker to forge log entries or inject malicious content into log files. Corrupted log files can be used to cover an attacker's tracks or as a delivery mechanism for an attack on a log viewing or processing utility. For example, if a web administrator uses a browser-based utility to review logs, a cross-site scripting attack might be possible.

Thus if we don't fix this it will allow attackers to inject malicious content into our logs.

Recommadation by documentation

Avoid directly embedding user input in log files when possible. Sanitize untrusted data used to construct log entries by using a safe logging mechanism such as the OWASP ESAPI Logger, which will automatically remove unexpected carriage returns and line feeds and can be configured to use HTML entity encoding for non-alphanumeric data. Only write custom blacklisting code when absolutely necessary. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible.

As documentation recommends we can using OWASP ESAPI Logger but to change your existing logger in such a big project from scratch is like more than a year's job.

 To do it in a simple way we can simply follow the below steps 

Solution: Improper Output Neutralization For Logs

Simply use Spring framework spring-web dependency where it provides a utility method to fix this. Here is the method to use for this : HtmlUtils.htmlEscape(input.toString()). 

The dependency required to use this method is shown below

Maven Dependency

 <dependency>
     <groupId>org.springframework</groupId>
      <artifactId>spring-web</artifactId>
 </dependency>

Example

 public class UtilsCommon {
   public static String formatCRLFInjectionLogs(Object input) {
     if (input != null) {
       return HtmlUtils.htmlEscape(input.toString()); // Action method
     }
     return null;
   }
   
   //USAGE
    logger.info("Output of process is: {}", 
        UtilsCommon.formatCRLFInjectionLogs(anyValue.getString()));
 }

Conclusion

In this tutorial, we have covered how to solve the Improper Output Neutralization For Logs (CWE ID 117) CRLF Injection issue. 

Thanks for reading this tutorial so far. If you like this tutorial then please share it with your friends and colleagues. If you have any questions, doubts, suggestions, or feedback then please drop a comment and I'll try to answer your question.

Happy Learning!!!

More Examples you may like

Invalid column type: getString/getNString not implemented for class oracle.jdbc.driver.T4CBlobAccessor

Solution : com.fasterxml.jackson.databind.exc.unrecognizedpropertyexception: unrecognized field

Solution : Table 'DBNAME.hibernate_sequence' doesn't exist

Solution :  java.lang.NoSuchMethodError: org.apache.commons.codec.binary.Base64.<init>(I)V]