How to sanitize log injection in codeql for java? #12641
-
|
I have a case to log response for which i am getting java/loginjection allerts. I tried to follow the recommendation and remove line breakers and still I am getting the allerts. I tried to sanitize by this approach. String sanitizedMessage= str.replace("\n","").replace("\r",""); So what are the characters to be replaced or what are the checks to be followed for codeql to regard a user provided value to be sanitized and not give log injection allerts on logging. |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments
-
|
Hi @PuspitaGhosh, Your sanitization is correct. Please see #10702, where this was also reported. We agreed to improve the query to properly recognize the sanitizers, and did it in the PR #10707. Once that PR is merged, your alerts should disappear. Apologies for the confusion! |
Beta Was this translation helpful? Give feedback.
-
|
Is there any chance that this can be improved further? For example, the current solution does not allow me to write particular clean code. I have created a utility method that will do the sanitation, so I do not have to repeat the same steps all over the place. However, the scan does not pick up on that. Nor does it allow me to do replaceAll("[\r\n]", ""), which in my opinion is a cleaner way of replacing line breaks. So for me this check is very annoying, as I had to mark all complains with "False positive" so they would go away... |
Beta Was this translation helpful? Give feedback.
Hi @PuspitaGhosh,
Your sanitization is correct. Please see #10702, where this was also reported. We agreed to improve the query to properly recognize the sanitizers, and did it in the PR #10707. Once that PR is merged, your alerts should disappear.
Apologies for the confusion!