Improper Neutralization of CRLF Sequences ('CRLF Injection')

Description

When data from an untrusted source is put into a logger and not neutralized correctly, an attacker could forge log entries or include malicious content. Inserted false entries could be used to skew statistics, distract the administrator or even to implicate another party in the commission of a malicious act. If the log file is processed automatically, the attacker can render the file unusable by corrupting the format of the file or injecting unexpected characters. An attacker may also inject code or other commands into the log file and take advantage of a vulnerability in the log processing utility (e.g. command injection or XSS).

Rationale

When data from an untrusted source is put into a logger and not neutralized correctly, an attacker could forge log entries or include malicious content. Inserted false entries could be used to skew statistics, distract the administrator or even to implicate another party in the commission of a malicious act. If the log file is processed automatically, the attacker can render the file unusable by corrupting the format of the file or injecting unexpected characters. An attacker may also inject code or other commands into the log file and take advantage of a vulnerability in the log processing utility (e.g. command injection or XSS).

The following code illustrates a vulnerable pattern detected by this rule:

def javaUtilLogging(req: HttpServletRequest): Unit = {
  val tainted = req.getParameter("test")
  val safe = "safe"
  val logger = Logger.getLogger(classOf[Nothing].getName)
  logger.setLevel(Level.ALL)
  val handler = new ConsoleHandler
  handler.setLevel(Level.ALL)
  logger.addHandler(handler)
  // VULNERABLE: Improper Neutralization of CRLF Sequences ('CRLF Injection')
  logger.config(tainted)
  // VULNERABLE: Improper Neutralization of CRLF Sequences ('CRLF Injection')
  logger.entering(tainted, safe)
  // VULNERABLE: Improper Neutralization of CRLF Sequences ('CRLF Injection')
  logger.entering("safe", safe, tainted)
  // VULNERABLE: Improper Neutralization of CRLF Sequences ('CRLF Injection')
  logger.entering(safe, "safe", Array[String](tainted))
  // VULNERABLE: Improper Neutralization of CRLF Sequences ('CRLF Injection')
  logger.exiting(safe, tainted)
  // VULNERABLE: Improper Neutralization of CRLF Sequences ('CRLF Injection')
  logger.exiting(safe, "safe", tainted)
  // VULNERABLE: Improper Neutralization of CRLF Sequences ('CRLF Injection')
  logger.fine(tainted)
  // VULNERABLE: Improper Neutralization of CRLF Sequences ('CRLF Injection')
  logger.finer(tainted.trim)
  // VULNERABLE: Improper Neutralization of CRLF Sequences ('CRLF Injection')
  logger.finest(tainted)
  // VULNERABLE: Improper Neutralization of CRLF Sequences ('CRLF Injection')
  logger.info(tainted)
  // VULNERABLE: Improper Neutralization of CRLF Sequences ('CRLF Injection')
  logger.log(Level.INFO, tainted)
  // VULNERABLE: Improper Neutralization of CRLF Sequences ('CRLF Injection')
  logger.log(Level.INFO, tainted, safe)
  // VULNERABLE: Improper Neutralization of CRLF Sequences ('CRLF Injection')

Remediation

Follow secure coding practices and review the references below for detailed remediation guidance.

Configuration

This detector does not need any configuration.

References

CWE-93
OWASP Top 10 2021 - A03 : Injection.