Thanks to visit codestin.com
Credit goes to github.com

Skip to content
This repository was archived by the owner on Jan 5, 2023. It is now read-only.

Go: Add Log Injection query (CWE-117) #609

Merged
merged 5 commits into from
Nov 24, 2021
Merged

Go: Add Log Injection query (CWE-117) #609

merged 5 commits into from
Nov 24, 2021

Conversation

atorralba
Copy link
Contributor

@atorralba atorralba commented Nov 19, 2021
edited by smowton
Loading

This PR adds a query for Log Injection (CWE-117).

Description

If unsanitized user input is written to a log entry, a malicious user may be able to forge new log entries.

Forgery can occur if a user provides some input with characters that are interpreted when the log output is displayed. If the log is displayed as a plain text file, then new line characters can be used by a malicious user. If the log is displayed as HTML, then arbitrary HTML may be include to spoof log entries.

To consider

No sanitizers were added, following the same reasoning as in the Java version.
Post-hoc edit by @smowton: this query DOES sanitize on removal of linebreak characters

Evaluation

The query shows results in 4820 projects. A small sample of them were reviewed and deemed TPs.

References

https://www.owasp.org/index.php/Log_Injection

@atorralba atorralba requested a review from a team as a code owner November 19, 2021 16:55
@atorralba atorralba force-pushed the atorralba/log-injection-query branch from 4f26661 to f2017b6 Compare November 22, 2021 08:15
@owen-mc
Copy link
Contributor

owen-mc commented Nov 24, 2021

It looks good to me. Can you explain what's going on with the stubs?

@atorralba
Copy link
Contributor Author

It looks good to me. Can you explain what's going on with the stubs?

First time using depstubber, sorry. I somehow pushed the generated stub.go and the actual, downloaded source code of each dependency 😅

@atorralba atorralba added the ready-for-doc-review This PR requires and is ready for review from the GitHub CodeQL docs team. label Nov 24, 2021
mattpollard
mattpollard approved these changes Nov 24, 2021
View reviewed changes
Copy link
Contributor

@mattpollard mattpollard left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I noticed a minor typo, but otherwise, this is good to go 🚀

@atorralba atorralba merged commit 662f880 into main Nov 24, 2021
@atorralba atorralba deleted the atorralba/log-injection-query branch November 24, 2021 14:52
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@mattpollard mattpollard mattpollard approved these changes

@owen-mc owen-mc owen-mc approved these changes

Assignees
No one assigned
Labels
ready-for-doc-review This PR requires and is ready for review from the GitHub CodeQL docs team.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@atorralba @owen-mc @mattpollard