Onyx2406 opened a new pull request, #3308: URL: https://github.com/apache/fineract/pull/3308
## Description This PR mitigates potential log injection vulnerabilities found in the Sender.java file. Log Injection vulnerabilities occur when unsanitized user input is written directly to a log entry. A malicious user could potentially exploit this to forge log entries or inject malicious content. For example, consider the following code: ``` String responseBody = getUserInput(); LOG.log(Level.WARNING, "Unrecognized response: " + responseBody); ``` If a malicious user provides a responseBody that contains newline characters like "Valid response\nSomething malicious", it would be logged as two separate log entries. This could be exploited to forge log entries or to inject malicious content into the logs. To mitigate this, a new private method sanitize was introduced that replaces newline and carriage return characters in the logs' input strings with their literal equivalents, i.e., \n and \r. This method was then used to sanitize responseBody variable in the relevant parts of the code. Reference: [CWE-117](https://github.com/github/codeql/pull/6182) ## Checklist Please make sure these boxes are checked before submitting your pull request - thanks! - [x] Write the commit message as per https://github.com/apache/fineract/#pull-requests - [x] Acknowledge that we will not review PRs that are not passing the build _("green")_ - it is your responsibility to get a proposed PR to pass the build, not primarily the project's maintainers. - [x] Create/update unit or integration tests for verifying the changes made. - [x] Follow coding conventions at https://cwiki.apache.org/confluence/display/FINERACT/Coding+Conventions. - [x] Add required Swagger annotation and update API documentation at fineract-provider/src/main/resources/static/legacy-docs/apiLive.htm with details of any API changes - [x] Submission is not a "code dump". (Large changes can be made "in repository" via a branch. Ask on the developer mailing list for guidance, if required.) FYI our guidelines for code reviews are at https://cwiki.apache.org/confluence/display/FINERACT/Code+Review+Guide. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
