1

It's a slf4j logger and i have been trying to log error with 2 messages parameters.

catch(ExecutionException executionException) {

LOGGER.error("TimeoutException caught , Error: " + SSG_TIMEOUT.getErrorText() 
       + ". Message: " +executionException.getMessage());    
}

SSG_TIMEOUT.getErrorText() results to a String "TimeOut error encountered"

Things i used

  1. Manual sanitize code

    return entry.replace("\t", "\\t").replace("\b", "\\b").replace("\n", 
    "\\n").replace("\r", "\\r").replace("\f", "\\f").replace("\u0000", 
    "\\0").replace("\\a", "\\a").replace("\\v", "\\v").replace("\\e", 
    "\\e").replaceAll("\\p{Cntrl}", "").replace("'", "\\'").replace("\"", 
    "\\\"").replace("\\", "\\\\");

  2. StringEscapeUtils.escapeJson(String errorMessage)

  3. String builder to append string + escapeJson(StringBuilder.toString())

Still i see the issue in my veracode report.

Any Suggestions?

Amrit Gopal Singh
  • 33
  • 1
  • 6

1 Answers1

2

First of all first 2 methods of sanitization are correct, its just that there are not supported by Veracode.

Before using a method one should visit About Supported Cleansing Functions in https://help.veracode.com/r/review_cleansers

So, for the above problem StringUtils.normalizeSpace() worked. "StringUtils.escapeJava" could also be used but it seems deprecated

Soln:

    catch(ExecutionException executionException) {

    LOGGER.error("TimeoutException caught , Error: " + 
    StringUtils.normalizeSpace(SSG_TIMEOUT.getErrorText() 
    }
Amrit Gopal Singh
  • 33
  • 1
  • 6
  • 1
    Thank you @amrit-gopal-singh for providing the list of cleansers Veracode recognized! I spent 3 days digging in their reports, CVWE, OWASP, etc. applying blacklisting, whitelisting, escaping and replacement in vain, until I found your comment and realized veracode recognizes only java.net.URLEncoder.encode() from JSE. – Rusi Popov Mar 09 '21 at 11:51