vidakovic commented on PR #3308: URL: https://github.com/apache/fineract/pull/3308#issuecomment-1636589057
I think there are a couple of things wrong here: - this issue seems to be inspired by a python project; you can't just make the same assumptions here without looking at the libs we use for logging (logback)... which has no known log injection issue (like log4j had) - are multiple lines (the only thing I possibly see here happening) really that much of an issue? - let's say yes for a moment... then why do string concatenation here instead of using proper log placeholders? concatenation is just wrong - when we use placeholders then the input passes through the log encoder; if you still think that multiple lines are that much of an issue then configure JSON log encoding and voila the problem is contained - personally I would discourage people to log content like that in the first place; in production this just bloats the log files unnecessarily; better use debug log level if you really need to investigate then this perceived issue won't happen in production and you have full control when and if the input reaches your logs Note: at first sight this might look like a security issue... we have a proper process in place for this... if you reveal everything immediately in an open PR then we have no chance of fixing things before they get exploited. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
