Unsanitized user input in logger message

• Rule ID: java_lang_log_injection
• Languages: java
• Source: log_injection.yml

Description

Logging unsanitized user input can lead to log forgery or malicious content injection. This vulnerability arises when user input is directly included in log messages without proper sanitization.

Remediations

• Do not include unsanitized user input in log messages. This can allow attackers to manipulate log files or inject harmful content.

  String username = request.getParameter("username");
  log.warn("Username is" + username); // unsafe

• Do sanitize user input before logging it. Ensure that any data derived from user input is cleaned to prevent log injection attacks.

  String username = sanitized(request.getParameter("username"));
  log.warn("Username is" + username);

References

• OWASP Log Injection
• OWASP logging cheat sheet

Associated CWE

• CWE-117: Improper Output Neutralization for Logs

OWASP Top 10

• A09:2021 - Security Logging and Monitoring Failures

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=java_lang_log_injection

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=java_lang_log_injection