(CodeQL) Fixed finding: "Log Injection"

[pixeebot-edge]

Pixee Fix ID: 029a0831-002c-4566-8c5d-35452c8d95b7

Confidence: HIGH

Fix confidence is a rating derived from an internal benchmark and includes High, Medium, and Low confidence fixes. It comprises three weighted scores reflecting the safety, effectiveness and cleanliness of Pixee's code changes within a fix. View Details in Pixee.

---

Remediation

This change fixes "Log Injection" (id = log-injection) identified by CodeQL.

Details

This change ensures that log messages can't contain newline characters, leaving you vulnerable to Log Forging / Log Injection.

If malicious users can get newline characters into a log message, they can inject and forge new log entries that look like they came from the server, and trick log analysis tools, administrators, and more. This leads to vulnerabilities like Log Injection, Log Forging, and more attacks from there.

Our change simply strips out newline characters from log messages, ensuring that they can't be used to forge new log entries.

+ import io.github.pixee.security.Newlines;
  ...
  String orderId = getUserOrderId();
- log.info("User order ID: " + orderId);
+ log.info("User order ID: " + Newlines.stripNewlines(orderId));

More reading

• https://owasp.org/www-community/attacks/Log_Injection
• https://knowledge-base.secureflag.com/vulnerabilities/inadequate_input_validation/log_injection_vulnerability.html
• https://cwe.mitre.org/data/definitions/117.html