search

augustd / owasp-security-logging

OWASP Security Logging library for Java
https://www.owasp.org/index.php/OWASP_Security_Logging_Project
Apache License 2.0
115 stars 35 forks source link

Log injection is possible in exception messages with CRLFConverter #52

Closed Piloon closed 4 years ago

Piloon commented 4 years ago 
If an exception is created with a message containing \r or \n, they are not replaced by the CRLFConverter class
java.lang.IllegalArgumentException: Unknown Argument inject message
Injection 1
Injection 2
Injection 3
!
    at test.Main(test.java:24)

when using

try {
   String invalidArgs = "inject message\nInjection 1\nInjection 2\nInjection 3\n!";
   throw new IllegalArgumentException("Unknown Argument: "+invalidArgs);
} catch (Exception e) {
   LOGGER.error(e);
}

My logback configuration contains :

<configuration debug="false" >
  <conversionRule conversionWord="crlf" converterClass="org.owasp.security.logging.mask.CRLFConverter" />
  <appender name="CONSOLE" class="ch.qos.logback.core.ConsoleAppender">
    <!-- encoders are assigned the type
         ch.qos.logback.classic.encoder.PatternLayoutEncoder by default -->
    <encoder>
      <pattern>%d{HH:mm:ss.SSS} [%thread] %-5level %logger{36} - %crlf(%msg) %n</pattern>
    </encoder>
    <filter class="ch.qos.logback.classic.filter.ThresholdFilter">
        <level>INFO</level>
    </filter>
  </appender>
javabeanz commented 4 years ago

thanks for reporting and solving this issue :thumbsup: