This is a continuation of #144.

@dellalibera and I have collaborated on this one.

github/codeql#5099 detects use cases where untrusted input can be passed to logging function. This depending on the circumstances can lead to remote code execution, log manipulation, violation of audit and compliance norms etc.

The following section is copied from #144

Result(s)

The query was able to detect a potential Log Forging (now fixed) in the generator-jhipster project.
This is the PR fixing the potential Log Forging: prevent potential log forging, and here the fixed code.

To test the query, I used the vulnerable version of that file. I created a project using jhipster (Creating an application), and then I run the query on the project already created; the query was able to detect the vulnerability mentioned in the PR (once I created the project, before generating the database, I replaced the fixed code, with its previous version).

There is also a CVE (another project): CVE-2020-4072: Log Forging in generator-jhipster-kotlin, that mentions the equivalent java file of the generator-jhipter project: commit: prevent log forging when doing password reset init request.