GitHub user RostislavReznichenko opened a pull request:
https://github.com/apache/camel/pull/232
VERACODE: fix of CWE ID 117 in camel-core module
During Veracode scan of our application we discover issue with security in
Camel. Please review our fix and apply it in future versions.
Quote from Veracode report below:
A function call could result in a log forging attack. Writing unsanitized
user-supplied data into a log file allows an attacker to forge log entries or
inject malicious content into log files. Corrupted log files can be used to
cover an attacker's tracks or as a delivery mechanism for an attack on a log
viewing or processing utility. For example, if a web administrator uses a
browser-based utility to review logs, a cross-site scripting attack might be
possible.
Effort to Fix: 2 - Implementation error. Fix is approx. 6-50 lines of code.
1 day to fix.
Recommendations
Avoid directly embedding user input in log files when possible. Sanitize
user-supplied data used to construct log entries by using a safe logging
mechanism such as the OWASP ESAPI Logger, which will automatically remove
unexpected carriage returns and line feeds and can be configured to use HTML
entity encoding for non-alphanumeric data. Only write custom blacklisting code
when absolutely necessary. Always validate user-supp
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/engagepoint/camel camel-2.13.x
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/camel/pull/232.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #232
----
commit 7f7941c2a65007579738d231426704ff0dd05cad
Author: Rostislav Reznichenko <[email protected]>
Date: 2014-08-05T08:26:57Z
Added OWASP encoder dependency
commit 7f186ee368fa83ef6e00615fc6644edef77d9b93
Author: Rostislav Reznichenko <[email protected]>
Date: 2014-08-05T10:07:31Z
camel-core: Encode data which used in java log (CWE ID 117)
----
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---