You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@logging.apache.org by "Matt Sicker (Jira)" <ji...@apache.org> on 2022/01/22 04:22:00 UTC

[jira] [Commented] (LOG4J2-3037) Add methods for logging untrusted arguments

    [ https://issues.apache.org/jira/browse/LOG4J2-3037?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17480342#comment-17480342 ] 

Matt Sicker commented on LOG4J2-3037:
-------------------------------------

This still seems relevant, though with the message lookup thing already being fixed, I'm not sure if there's much that can be done with user input for things like PatternLayout (maybe removing newlines?).

> Add methods for logging untrusted arguments
> -------------------------------------------
>
>                 Key: LOG4J2-3037
>                 URL: https://issues.apache.org/jira/browse/LOG4J2-3037
>             Project: Log4j 2
>          Issue Type: Improvement
>          Components: API
>            Reporter: Marcono1234
>            Priority: Major
>
> While LOG4J2-2511 would prevent log injection, it appears Log4j 2 does not provide any safe means for logging untrusted (potentially malicious) data without it messing with the output. Simply not logging such data is often not an option, because it is important to understand which steps an adversary took.
> It would therefore be good if Log4j 2 provided logging methods for untrusted data, which escape any potentially malicious input.
> Adding such methods to {{Logger}} is probably not an option because it would further bloat the API, making it less usable. However, maybe such methods could be added to {{LogBuilder}}.
> The following API would allow this (and could unrelated to this request also support logging primitive arguments without boxing):
> {code}
> interface LogBuilder {
>     interface MessageWithArgsBuilder {
>         MessageWithArgsBuilder withArg(Object arg);
>         MessageWithArgsBuilder withUntrustedArg(Object arg);
>         void log();
>     }
>     MessageWithArgsBuilder withMessage(String messageTemplate);
> }
> {code}
> The usage would then look like this:
> {code}
> logger.atWarn()
>   .withMessage("User provided invalid argument {} to service {}")
>   .withUntrustedArg(arg)
>   .withArg(service)
>   .log();
> {code}
> The implementation of {{withUntrustedArg}} would then only allow a subset of the ASCII chars, encasing the argument with double quotes {{"}}, and replacing any non allowed characters with their Unicode escape sequence {{\uXXXX}}, adding to any existing escape sequences an additional {{u}}, e.g.
> {noformat}
> test" \u1234
> {noformat}
> would become
> {noformat}"test\u0022 \uu1234"
> {noformat}
> in the output.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)