2

I read on some forums the myth that it is enough to pass the Veracode CWE 117 (Improper Output Neutralization for Logs) issue by doing something like this. Can somebody confirm if this is the case or not ?

 message.replaceAll("\r", "_").replaceAll("\n", "_");

From this topic How to fix Veracode CWE 117 (Improper Output Neutralization for Logs) , I understand that I need to do something like this 

ESAPI.encoder().encodeForHTML(message);
Sorin Penteleiciuc
  • 653
  • 1
  • 10
  • 26

4 Answers4

4

You can use the escapeJava method of StringEscapeUtils to pass the CWE-117 in Veracode. I was able to pass CWE-177 with 2.6 of commons-lang https://mvnrepository.com/artifact/commons-lang/commons-lang/2.6

StringEscapeUtils.escapeJava(message)
chandima
  • 121
  • 4
3

The message needs to be escaped for the context which it is in. The ESAPI logger does replace the \r and \n characters as well as encode for html if configured to do so.

Currently this code gives me a CWE 117 from Veracode:

log.log(Level.WARNING, System.getenv("unsafe"));

This code does not:

log.log(Level.WARNING, ESAPI.encoder().encodeForHTML(System.getenv("unsafe")));

encodeForHTML encodes \r and \n to 
 and 
 respectively, but an underscore is imho cleaner and if you decoded the html you may get unexpected new lines.

Jeremy
  • 68
  • 5
  • Do you know if there is an alternative for ESAPI in order to pass that CWE 117 test from Veracode ? – Sorin Penteleiciuc Oct 05 '17 at 08:17
  • I have not used anything else myself, but you can see a full list of approved cleansers at the following Veracode Help Center page: [Supported Cleansing Functions](https://help.veracode.com/reader/4EKhlLSMHm5jC8P8j3XccQ/QSde6PQlbxAPLvVx1K933A) – Jeremy Oct 09 '17 at 15:05
  • @SorinPenteleiciuc alternatively you can use StringEscapeUtils.escapeJava(message) method. I was able to pass CWE-177 with 2.6 of commons-lang https://mvnrepository.com/artifact/commons-lang/commons-lang/2.6 – chandima Jan 19 '21 at 19:20
  • Thanks, it solves me problem. I have a question, I can directly use ESAPI, how is this installed on my machine? – Willy Aug 31 '23 at 09:49
3

If you don't want to directly use ESAPI, you can write your own function which does similar things:

  • escapes new lines and
  • encodes html.

I have given an example of such function (based on ESAPI) as an answer here: security flaw - veracode report - crlf injection

walkeros
  • 4,736
  • 4
  • 35
  • 47
3

we can either way. 

message.replaceAll("\r", "_").replaceAll("\n", "_");

or 

ESAPI.encoder().encodeForHTML(message);

or 

HtmlUtils.htmlEscape(input)
Nazim Kerimbekov
  • 4,712
  • 8
  • 34
  • 58
Chaithra S
  • 31
  • 1