Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Java : Add Log Injection Vulnerability #5099

Merged
merged 5 commits into from
Mar 24, 2021
Merged

Java : Add Log Injection Vulnerability #5099

merged 5 commits into from
Mar 24, 2021

Conversation

porcupineyhairs
Copy link
Contributor

This is a continuation of @dellalibera's #3882.

CC: @smowton @Marcono1234 @intrigus-lgtm

@porcupineyhairs porcupineyhairs requested a review from a team as a code owner February 4, 2021 18:21
@porcupineyhairs
Copy link
Contributor Author

There is already a bounty application open with GHSL. See github/securitylab#144

This was referenced Feb 4, 2021
Open
Closed
intrigus-lgtm
intrigus-lgtm reviewed Feb 4, 2021
View reviewed changes
Copy link
Contributor

@intrigus-lgtm intrigus-lgtm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just some comments.
The .qhelp file has only been checked for missing <code> tags and nothing else.

java/ql/src/experimental/Security/CWE/CWE-117/LogInjection.qhelp Outdated Show resolved Hide resolved
java/ql/src/experimental/Security/CWE/CWE-117/LogInjection.qhelp Outdated Show resolved Hide resolved
java/ql/src/experimental/Security/CWE/CWE-117/LogInjection.qhelp Outdated Show resolved Hide resolved
java/ql/src/experimental/Security/CWE/CWE-117/LogInjection.qhelp Outdated Show resolved Hide resolved
java/ql/src/experimental/Security/CWE/CWE-117/LogInjection.qhelp Outdated Show resolved Hide resolved
java/ql/src/experimental/Security/CWE/CWE-117/LogInjection.qhelp Outdated Show resolved Hide resolved
java/ql/src/experimental/Security/CWE/CWE-117/LogInjection.qhelp Outdated Show resolved Hide resolved
java/ql/src/experimental/Security/CWE/CWE-117/LogInjection.ql Outdated Show resolved Hide resolved
java/ql/src/experimental/semmle/code/java/Logging.qll Outdated Show resolved Hide resolved
owen-mc
owen-mc previously requested changes Feb 5, 2021
View reviewed changes
Copy link
Contributor

@owen-mc owen-mc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would be great to have some tests.

java/ql/src/experimental/Security/CWE/CWE-117/LogInjection.java Outdated Show resolved Hide resolved
java/ql/src/experimental/Security/CWE/CWE-117/LogInjection.qhelp Outdated Show resolved Hide resolved
java/ql/src/experimental/Security/CWE/CWE-117/LogInjection.qhelp Outdated Show resolved Hide resolved
java/ql/src/experimental/Security/CWE/CWE-117/LogInjection.qhelp Outdated Show resolved Hide resolved
java/ql/src/experimental/Security/CWE/CWE-117/LogInjection.qhelp Outdated Show resolved Hide resolved
java/ql/src/experimental/Security/CWE/CWE-117/LogInjection.ql Outdated Show resolved Hide resolved
java/ql/src/experimental/Security/CWE/CWE-117/LogInjection.ql Outdated Show resolved Hide resolved
java/ql/src/experimental/Security/CWE/CWE-117/LogInjection.ql Show resolved Hide resolved
java/ql/src/experimental/semmle/code/java/Logging.qll Show resolved Hide resolved
java/ql/src/experimental/Security/CWE/CWE-117/LogInjection.ql Outdated Show resolved Hide resolved
@porcupineyhairs
Copy link
Contributor Author

@owen-mc I have the latest changes here. As for the tests, let this PR be merged as experimental. I keep running it issues with stubbing Java dependencies again and again. So I have decided to write a simple tool to generate the stubs for me. Until that is fully functional, I won't be adding any tests to any of my Java PR's.

owen-mc
owen-mc reviewed Mar 4, 2021
View reviewed changes
Copy link
Contributor

@owen-mc owen-mc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have set two LGTM runs going, one with the sanitizer guards and one without. I sympathise about stubbing. For codeql for Go there is a tool called Depstubber to do stubbing.

java/ql/src/experimental/Security/CWE/CWE-117/LogInjection.ql Outdated Show resolved Hide resolved
java/ql/src/experimental/Security/CWE/CWE-117/LogInjection.ql Outdated Show resolved Hide resolved
@owen-mc
Copy link
Contributor

owen-mc commented Mar 10, 2021

I did two lgtm runs. There were a lot of results, and not much difference between the two runs. There were results in 7066 projects for the run with sanitizers and 7073 for the run without. Some projects also had different numbers of results. Unfortunately lgtm doesn't make it particularly easy to diff the two outputs. CruxFramework/crux is one of the projects that had results in the second run but not the first. I looked at one of its results and it seems to be inappropriately sanitizer-guarded by endswith. The rest of the results for that repo are very similar, so I think the same must be the case.

I stand by my suggestion about which sanitizer guards to remove.

@owen-mc
Copy link
Contributor

owen-mc commented Mar 15, 2021

@porcupineyhairs Do you intend to update the sanitizer guards? I will then move this to the next stage of the process.

@porcupineyhairs
Copy link
Contributor Author

@owen-mc I have removed the sanitizers and rebased the PR to the latest main.

@owen-mc owen-mc assigned aschackmull and unassigned owen-mc Mar 18, 2021
@owen-mc owen-mc dismissed their stale review March 18, 2021 14:27

Changes have been made

@aschackmull aschackmull merged commit 63831cc into github:main Mar 24, 2021
@porcupineyhairs porcupineyhairs deleted the javaLogInjection branch March 24, 2021 18:52
This was referenced Nov 4, 2021
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Marcono1234 Marcono1234 Marcono1234 left review comments

@intrigus-lgtm intrigus-lgtm intrigus-lgtm left review comments

@owen-mc owen-mc owen-mc left review comments

@aschackmull aschackmull aschackmull approved these changes

Assignees

@aschackmull aschackmull

Labels
documentation Java
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@porcupineyhairs @owen-mc @Marcono1234 @aschackmull @intrigus-lgtm