Hi, We need further information about fixing issues reported by the rule
javasecurity:S5145 Change this code to not log user-controlled data.
Logging should not be vulnerable to injection attacks**
The example compliant solution shows some replace call on the string
data = data.replaceAll(“[\n\r]”, “_”);
but what is the rule exactly looking for accepting input to be sanitized or validated?
To understand what’s going on, I was looking for the source code of the rule, but could not find it.
Can you therefore
Provide more information what exactly the rules is looking for accepting input to be sanitized or validated
Provide relevant source code of the rule
What language is this for: java
Which rule: javasecurity:S5145 Change this code to not log user-controlled data.
We are using
SonarQube: Enterprise Edition Version 9.9.1 (build 69595)
If StringUtils is org.apache.commons.lang3.StringUtils then yes this should be part of the methods we consider as sanitizers for this rule. I created an improvement ticket so that it’s fixed in a future version of SonarQube.
You can’t this component is closed source as it’s part of our commercial editions of the products.
But you can customize what the rule considers a sanitizer for this rule using a custom configuration.