Hi, We need further information about fixing issues reported by the rule
javasecurity:S5145 Change this code to not log user-controlled data.
Logging should not be vulnerable to injection attacks**
The example compliant solution shows some replace call on the string
data = data.replaceAll(“[\n\r]”, “_”);
but what is the rule exactly looking for accepting input to be sanitized or validated?
To understand what’s going on, I was looking for the source code of the rule, but could not find it.
Can you therefore
Provide more information what exactly the rules is looking for accepting input to be sanitized or validated
Provide relevant source code of the rule
Thanks
What language is this for: java
Which rule: javasecurity:S5145 Change this code to not log user-controlled data.
We are using
SonarQube: Enterprise Edition Version 9.9.1 (build 69595)
As part of a security analysis of our application we investigate whether the provided Sonar security rules can be applied.
The concept of
javasecurity:S5145 Change this code to not log user-controlled data
sounds promising, but it seems that the provided implementation only focuse on the replacement of newlines.
It also seems that a compliant solution must use the slow replaceAll() call which constructs a regex on each call,
but more performant solutions are not accepted:
Are you facing the same problem @patrik.jetzer reported?
If StringUtils is org.apache.commons.lang3.StringUtils then yes this should be part of the methods we consider as sanitizers for this rule. I created an improvement ticket so that it’s fixed in a future version of SonarQube.
You can’t this component is closed source as it’s part of our commercial editions of the products.
But you can customize what the rule considers a sanitizer for this rule using a custom configuration.
I have looked now at the
Java JSON file example
in
Unfortunately, the format of the JSON file seems not complete.
can you provide a formal definition of methodId?
(it seems to be a mixture of textual and bytecode signature, but how would e.g. a non-top level class be referenced, with ‘.’ or ‘$’)
When this is set to true it will match any method signature that starts with what is specified in the methodId field. if not set, or set to false it will match the exact method signature instead.
They are not identical. If you look carefully you will see that the package name is slightly different.