I've been trying to handle security of log4j2 in our spring application to pass in Veracode. Especially CWE 117 - log injection vulnerability.
We have a spring application with spring-boot-starter-log4j2.
I have tried to configure log4j2 pattern:
<PatternLayout pattern="%d{DEFAULT} [%t] %-5level %logger{36} - %encode{%m}%n" />
but it doesn't work. I also tried something like this:
<PatternLayout pattern="%d{ISO8601} %-5p - %encode{ %.-500m }{CRLF}%n" />
or
<PatternLayout pattern="%d{HH:mm:ss.SSS} %marker [%t] %-5level %logger{36} - %encode{%msg}{CRLF}%n"/>
I am still getting the veracode result:
117 Improper Output Neutralization for Logs WelcomeResource.java: 15
117 Improper Output Neutralization for Logs WelcomeResource.java: 16
We don't want use ESAPI nor any log facade, we don't want to change all log rows in our code, there are thousands of occurrences. We would like to use the straigt setting as in the snippet below or here: https://owasp.org/www-project-cheat-sheets/cheatsheets/Injection_Prevention_Cheat_Sheet_in_Java.html#Log_Injection or https://github.com/javabeanz/owasp-security-logging/wiki/Log-Forging
But it doesn't work. Where could be the problem?
Here is a snippet of our code:
build.gradle:
plugins {
id 'org.springframework.boot' version '2.2.0.RELEASE'
id 'io.spring.dependency-management' version '1.0.8.RELEASE'
id 'java'
id 'maven'
}
group = 'com.example'
version = '0.0.2-SNAPSHOT'
repositories {
mavenCentral()
}
configurations {
all {
exclude group: 'org.springframework.boot', module: 'spring-boot-starter-logging'
}
}
dependencies {
implementation 'org.springframework.boot:spring-boot-starter-actuator'
implementation 'org.springframework.boot:spring-boot-starter-web'
implementation 'org.springframework.boot:spring-boot-starter-log4j2'
}
App.java:
package com.example.demoLog4j2;
import org.slf4j.LoggerFactory;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
@SpringBootApplication
public class App {
final static org.slf4j.Logger Logger = LoggerFactory.getLogger("App");
public static void main(String[] args) {
SpringApplication.run(App.class, args);
System.out.println(" //---------------------->> DemoLog4j2 Application started... ");
Logger.info(" Logger implementation: " + Logger.getClass().getName());
}
}
WelcomeResource.java:
package com.example.demoLog4j2;
import org.slf4j.LoggerFactory;
import org.springframework.web.bind.annotation.*;
@RestController
public class WelcomeResource {
private static final String welcomeMessage = "Welcome...";
final org.slf4j.Logger Logger = LoggerFactory.getLogger(this.getClass());
@GetMapping("/name")
public String getName(@RequestParam(name="name", required = false, defaultValue = "Josef") String name) {
Logger.info( "----- name: " + name);
Logger.debug( "--- name: " + name );
return "name: " + name;
}
}
log4j2.xml:
<?xml version="1.0" encoding="UTF-8"?>
<Configuration status="INFO ">
<Appenders>
<Console name="Console" target="SYSTEM_OUT">
<!-- <PatternLayout pattern="%d{DEFAULT} [%t] %-5level %logger{36} - %encode{%m}%n" /> -->
<!-- <PatternLayout pattern="%d{HH:mm:ss.SSS} %marker [%t] %-5level %logger{36} - %encode{%msg}{CRLF}%n" /> -->
<PatternLayout pattern="%d{ISO8601} %-5p - %encode{ %.-500m }{CRLF}%n" />
</Console>
</Appenders>
<Loggers>
<Root level="INFO">
<AppenderRef ref="Console" />
</Root>
</Loggers>
</Configuration>
Finally we have solved the logging injection threat with "%encode{%msg}" in log4j2 config file. It solved the threat, but it didn't solve the veracode report. We ignored it, because it was false report. I don't know if veracode repaired it.