2

i'm trying to fix the CRLF vulnerability on my application logger im currently logging my http request Path is there a way to validate this one? to remove any CR LF injection on my request Path im currently using c# as my programming language

this is my core code when logging error

 _logger.LogInformation(e, "InactiveTenantException caught during api request {RequestPath} {Tenant} {User}", context.Request.Path, currentUser?.Tenant, currentUser?.LoginEmail);

note. currently using Microsoft.Extensions.Logging as my logging tool

bRaNdOn
  • 1,060
  • 4
  • 17
  • 37
  • 1
    If I'm reading your question correctly, all you need to do is sanitize the URL string you received. See here for an example https://stackoverflow.com/a/23033913/1427406 – Kishore Masand Apr 02 '18 at 08:35

1 Answers1

2

Since you are using PathString that is returned by HttpContext.Request.Path you are getting an escaped string:

the path string escaped in a way which is correct for combining into the URI representation

Thus, there shouldn't be CRLF vulnerability in your code.

If you will make a request like /foo%5Cnbar wich is encoded /foo\nbar then you will get /foo%5Cnbar istead of two lines in your log file.

AlbertK
  • 11,841
  • 5
  • 40
  • 36