log forging fortify fix

java security logging fortify log-forging

31,872

Solution 1

Alina, I'm actually the author of the article you used to solve your log injection issue. Hope it was helpful.

Vitaly is correct with regards to Fortify. You'll need to build what Fortify calls a "custom rule".

It will likely be a dataflow cleanse rule. A basic example can be found here: http://www.cigital.com/newsletter/2009-11-tips.php. If you own Fortify, there should be a custom rule writing guide in your product documentation.

I don't know what the taint flag you'll use is, but it would look something like "-LOG_FORGING". You would essentially write a rule to remove the log forging "taint" whenever data is passed through your utility method. Fortify will them assume that any data passed through there is now safe to be written to a log, and will not cause log forging.

Solution 2

I know this was already answered, but I thought an example would be nice :)

<?xml version="1.0" encoding="UTF-8"?>
<RulePack xmlns="xmlns://www.fortifysoftware.com/schema/rules">
  <RulePackID>D82118B1-BBAE-4047-9066-5FC821E16456</RulePackID>
  <SKU>SKU-Validated-Log-Forging</SKU>
  <Name><![CDATA[Validated-Log-Forging]]></Name>
  <Version>1.0</Version>
  <Description><![CDATA[Validated-Log-Forging]]></Description>
  <Rules version="3.14">
    <RuleDefinitions>
      <DataflowCleanseRule formatVersion="3.14" language="java">
        <RuleID>DDAB5D73-8CF6-45E0-888C-EEEFBEFF2CD5</RuleID>
        <TaintFlags>+VALIDATED_LOG_FORGING</TaintFlags>
        <FunctionIdentifier>
          <NamespaceName>
            <Pattern/>
          </NamespaceName>
          <ClassName>
            <Pattern>Util</Pattern>
          </ClassName>
          <FunctionName>
            <Pattern>replaceNewLine</Pattern>
          </FunctionName>
          <ApplyTo implements="true" overrides="true" extends="true"/>
        </FunctionIdentifier>
        <OutArguments>return</OutArguments>
      </DataflowCleanseRule>
    </RuleDefinitions>
  </Rules>
</RulePack>

Solution 3

You need to mark your replaceNewLine as sanitiser in Fortify (if I remember correctly) and it will stop reporting the issue.

31,872

Author by

Alina Danila

Updated on July 05, 2022

Comments

Alina Danila almost 2 years
I am using Fortify SCA to find the security issues in my application (as a university homework). I have encountered some 'Log Forging' issues which I am not able to get rid off.

Basically, I log some values that come as user input from a web interface:
```
logger.warn("current id not valid - " + bean.getRecordId()));
```
and Fortify reports this as a log forging issue, because the getRecordId() returns an user input.

I have followed this article, and I am replacing the 'new line' with space, but the issue is still reported
```
logger.warn("current id not valid - " + Util.replaceNewLine(bean.getRecordId()));
```
Can anyone suggest a way to fix this issue?