Java 无法解决Log Forging Fortify问题
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/30537359/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Can't resolve Log Forging Fortify issue
提问by Brian Redd
I am having trouble fixing a Log Forging issue in Fortify. The issue, "writes unvalidated user input to the log", is being raised from both of the logging calls in the getLongFromTimestamp() method.
我在解决 Fortify 中的日志伪造问题时遇到问题。getLongFromTimestamp() 方法中的两个日志调用都引发了“将未经验证的用户输入写入日志”的问题。
public long getLongFromTimestamp(final String value) {
LOGGER.info("getLongFromTimestamp(" + cleanLogString(value) + ")");
long longVal = 0;
Date tempDate = null;
try {
tempDate = new SimpleDateFormat(FORMAT_YYYYMMDDHHMMSS, Locale.US).parse(value);
} catch (ParseException e) {
LOGGER.warn("Failed to convert to Date: " + cleanLogString(value) + " Exception: " + cleanLogString(e.getMessage()));
throw new Exception(e);
}
if (tempDate != null) {
longVal = tempDate.getTime();
}
return longVal;
}
private cleanLogString(String logString) {
String clean = logString.replaceAll("[^A-Za-z0-9]", "");
if(!logString.equals(clean)) {
clean += " (CLEANED)";
}
return clean;
}
The cleanLogString() method has fixed other Log Forging Fortify issues in my project, however it has no effect on the 2 above.
cleanLogString() 方法修复了我项目中的其他 Log Forging Fortify 问题,但是它对上述 2 没有影响。
Any help would be appreciated!
任何帮助,将不胜感激!
采纳答案by Brian Redd
Originally when this question was written our team was using log4j v1.2.8, however we noticed that all the log forging issues disappeared after upgrading to log4j v2.6.2.
最初写这个问题时,我们的团队使用的是 log4j v1.2.8,但是我们注意到升级到 log4j v2.6.2 后所有日志伪造问题都消失了。
Once the log4j version is upgraded the Fortify log forging issues should go away. The cleanLogString() method form the question above is also unnecessary. For example:
升级 log4j 版本后,Fortify 日志伪造问题应该会消失。上面问题中的 cleanLogString() 方法也是不必要的。例如:
LOGGER.info("getLongFromTimestamp(" + value + ")");
回答by Dave C
I know I have run into situations where the complexity of my application would stop any malicious input from working as intended; Fortify does not consider this to be secure. I bet you are running into the same thing.
我知道我遇到过这样的情况:我的应用程序的复杂性会阻止任何恶意输入按预期工作;Fortify 认为这是不安全的。我敢打赌你遇到了同样的事情。
You are stripping any really useful characters out of the log message, but see what happens if you do some encoding on the output prior to writing to the log.
您正在从日志消息中去除任何真正有用的字符,但看看如果在写入日志之前对输出进行一些编码会发生什么。
http://www.jtmelton.com/2010/09/21/preventing-log-forging-in-java/
http://www.jtmelton.com/2010/09/21/preventing-log-forging-in-java/
// ensure no CRLF injection into logs for forging records
String clean = message.replace( '\n', '_' ).replace( '\r', '_' );
if ( ESAPI.securityConfiguration().getLogEncodingRequired() ) {
clean = ESAPI.encoder().encodeForHTML(message);
if (!message.equals(clean)) {
clean += " (Encoded)";
}
}
回答by bfpne
It is possible to use fortify Java annotations to tell Fortify that the data returned from a sanitizing function is now safe.
可以使用 fortify Java 注释来告诉 Fortify 从清理函数返回的数据现在是安全的。
When looking at my log forging problems I had strings coming in through a web API and thus had the flags XSSand WEBon my strings. I tried to find annotations that would only remove these flags, but couldn't find any way to remove the WEBflag. The only documentation I've found is the Samples/advanced/javaAnnotationdirectory.
当我的日志锻造问题找我有串在通过Web API到来,因此有标志XSS,并WEB在我的琴弦。我试图找到只会删除这些标志的注释,但找不到任何方法来删除这些WEB标志。我找到的唯一文档是Samples/advanced/javaAnnotation目录。
Since my sanitation method does sanitize strings, I choose to remove all flags. This could be a problem though, as it could hide privacy violations.
由于我的卫生方法确实对字符串进行了消毒,因此我选择删除所有标志。但这可能是一个问题,因为它可能隐藏侵犯隐私的行为。
@FortifyValidate("return")
private String sanitizeString(String taintedString) {
return doSomethingWithTheString(taintedString);
}
回答by Poter Sue
Use reflector try-catch.
Its easy to cheat fortify.
使用reflect或try-catch。很容易作弊设防。
