3

I have a CWE 117 issue reported in my Product.

CWE 117 issue is that the software does not properly sanitize or incorrectly sanitizes output that is written to logs and one possible solution i got was to add the following while logging.

String clean = args[1].replace('\n', '_').replace('\r', '_');

log.info(clean);

My question is whether there is any central place in log4j where a single change can solve this issue?

aioobe
  • 413,195
  • 112
  • 811
  • 826
Divya Rose
  • 227
  • 4
  • 22

1 Answers1

3

It is the Layout that is responsible for serializing the log message, and it is here the newline-transformation code belongs.

I suggest creating your own (trivial) subclass of PatternLayout that does the transformation. This has also been discussed on the Log4j mailing list here. Here's a slightly modified version of the solution suggested in that thread:

import org.apache.log4j.PatternLayout;
import org.apache.log4j.spi.LoggingEvent;

public class NewLinePatternLayout extends PatternLayout {

    public NewLinePatternLayout() { }

    public NewLinePatternLayout(String pattern) {
        super(pattern);
    }

    public boolean ignoresThrowable() {
        return false;
    }

    public String format(LoggingEvent event) {
        String original = super.format(event);

        // Here your code comes into play
        String clean = original.replace('\n', '_').replace('\r', '_');

        StringBuilder sb = new StringBuilder(clean);

        String[] s = event.getThrowableStrRep();
        if (s != null) {
            for (int i = 0; i < s.length; i++) {
                sb.append(s[i]);
                sb.append('_');
            }
        }
        return sb.toString();
    }
}

Related question (with a potentially useful answer):

Community
  • 1
  • 1
aioobe
  • 413,195
  • 112
  • 811
  • 826
  • Hi... I did as you said. I wrote this class in one of my projects and created a jar. I have placed the jar in the same location as log4j*.jar. I have also made the changes to log4j.properties. `log4j.appender.R.layout=com.umonitor.utils.NewLinePatternLayout` But I am getting the following error. log4j:ERROR A "com.umonitor.utils.NewLinePatternLayout" object is not assignable to a "org.apache.log4j.Layout" variable. log4j:ERROR The class "org.apache.log4j.Layout" was loaded by log4j:ERROR [WebappClassLoader delegate: false repositories: /WEB-INF/classes/ ----> Parent Classloader: – Divya Rose Jun 23 '15 at 14:22
  • You implemented a `Layout`? – aioobe Jun 23 '15 at 14:24
  • Yes... I created the NewLinePatternLayout class. But see the error in the above comment please. – Divya Rose Jun 23 '15 at 14:28
  • The error is : The class "org.apache.log4j.Layout" was loaded by log4j:ERROR [WebappClassLoader "com.umonitor.utils.NewLinePatternLayout" was loaded by [org.apache.catalina.loader.StandardClassLoader@620a3d3b]. – Divya Rose Jun 23 '15 at 14:48
  • Sorry for the delay. Have a look at this question/answer: http://stackoverflow.com/questions/4218083/log4js-configuration Let me know if it helps! – aioobe Jun 23 '15 at 15:06
  • I didnt get an answer from that link. My log4j.properties file looks like below: log4j.rootLogger=INFO, R log4j.appender.R=org.apache.log4j.RollingFileAppender log4j.appender.R.File=${catalina.home}/logs/tomcat.log log4j.appender.R.MaxFileSize=10MB log4j.appender.R.MaxBackupIndex=10 log4j.appender.R.layout=com.divya.utils.NewLinePatternLayout log4j.appender.R.layout.ConversionPattern=%p %t %c - %m%n Why is the Layout class getting loaded by WebappClassLoader and NewLinePatternLayout by StandardClassLoader? Please advice on what needs to be done. – Divya Rose Jun 23 '15 at 15:17
  • It's hard to read the file in a comment, and getting Log4j to play nicely with different classloaders seems a little off topic in regards to the original question. I suggest we proceed as follows: 1) Mark this answer as accepted if you think it addressed your question. 2) Post your log4j.properties file + the exact error message in a new question (remember to format the file content as code so it's easy to read) 3) Post a link to your new question here so I can find it easily. I'll then have a look at that question and try to sort it out. This also has the benefit that ... – aioobe Jun 23 '15 at 15:23
  • ...your followup question gets more attention and someone else (that's not following our discussion here) may see the question and give an answer quicker. – aioobe Jun 23 '15 at 15:24
  • http://stackoverflow.com/questions/31007079/issue-while-extending-patternlayout-in-log4j – Divya Rose Jun 23 '15 at 15:29
  • Thanks! I'll look at it right after I've had dinner! ttyl. – aioobe Jun 23 '15 at 15:34
  • You can use the escapeJava method of StringEscapeUtils to pass the CWE-117 in Veracode. I've put my answer here: https://stackoverflow.com/questions/46564555/pass-veracode-cwe-117-improper-output-neutralization-for-logs-only-with-replac/65798155#65798155 – chandima Jan 19 '21 at 19:27