Log injection High

User-provided inputs must be sanitized before they are logged. An attacker can use unsanitized input to break a log's integrity, forge log entries, or bypass log monitors.

Detector ID
java/log-injection@v1.0
Category
Common Weakness Enumeration (CWE) external icon

Noncompliant example

1@RequestMapping("/example.htm")
2public ModelAndView loggingNonCompliant(HttpServletRequest request) {
3    ModelAndView result = new ModelAndView("success");
4    String userId = request.getParameter("userId");
5    result.addObject("userId", userId);
6    // More logic here to populate the result.
7    // Noncompliant: unsanitized input is logged.
8    log.info("Successfully processed request for user ID: {}.", userId);
9    return result;
10}

Compliant example

1@RequestMapping("/example.htm")
2public ModelAndView loggingCompliant(HttpServletRequest request) {
3    ModelAndView result = new ModelAndView("success");
4    String userId = request.getParameter("userId");
5    String sanitizedUserId = sanitize(userId);
6    result.addObject("userId", sanitizedUserId);
7    // More logic here to populate the result.
8    // Compliant: input is sanitized before logging.
9    log.info("Successfully processed request for user ID: {}.", sanitizedUserId);
10    return result;
11}
12private static String sanitize(String userId) {
13    // Remove all chars except digits.
14    return userId.replaceAll("\\D", "");
15}