Alina Danila Alina Danila - 1 month ago 45
Java Question

log forging fortify fix

I am using Fortify SCA to find the security issues in my application (as a university homework). I have encountered some 'Log Forging' issues which I am not able to get rid off.

Basically, I log some values that come as user input from a web interface:

logger.warn("current id not valid - " + bean.getRecordId()));


and Fortify reports this as a log forging issue, because the getRecordId() returns an user input.

I have followed this article, and I am replacing the 'new line' with space, but the issue is still reported

logger.warn("current id not valid - " + Util.replaceNewLine(bean.getRecordId()));


Can anyone suggest a way to fix this issue?

Answer

Alina, I'm actually the author of the article you used to solve your log injection issue. Hope it was helpful.

Vitaly is correct with regards to Fortify. You'll need to build what Fortify calls a "custom rule".

It will likely be a dataflow cleanse rule. A basic example can be found here: http://www.cigital.com/newsletter/2009-11-tips.php. If you own Fortify, there should be a custom rule writing guide in your product documentation.

I don't know what the taint flag you'll use is, but it would look something like "-LOG_FORGING". You would essentially write a rule to remove the log forging "taint" whenever data is passed through your utility method. Fortify will them assume that any data passed through there is now safe to be written to a log, and will not cause log forging.