[GitHub] camel pull request: VERACODE: fix of CWE ID 117 in camel-core modu...

Wed, 06 Aug 2014 05:32:35 -0700 

GitHub user RostislavReznichenko opened a pull request:

    https://github.com/apache/camel/pull/232

    VERACODE: fix of CWE ID 117 in camel-core module

    During Veracode scan of our application we discover issue with security in 
Camel. Please review our fix and apply it in future versions.
    
    Quote from Veracode report below:
    
    A function call could result in a log forging attack. Writing unsanitized 
user-supplied data into a log file allows an attacker to forge log entries or 
inject malicious content into log files. Corrupted log files can be used to 
cover an attacker's tracks or as a delivery mechanism for an attack on a log 
viewing or processing utility. For example, if a web administrator uses a 
browser-based utility to review logs, a cross-site scripting attack might be 
possible.
    Effort to Fix: 2 - Implementation error. Fix is approx. 6-50 lines of code. 
1 day to fix.
    
    Recommendations
    Avoid directly embedding user input in log files when possible. Sanitize 
user-supplied data used to construct log entries by using a safe logging 
mechanism such as the OWASP ESAPI Logger, which will automatically remove 
unexpected carriage returns and line feeds and can be configured to use HTML 
entity encoding for non-alphanumeric data. Only write custom blacklisting code 
when absolutely necessary. Always validate user-supp

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/engagepoint/camel camel-2.13.x

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/camel/pull/232.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #232
    
----
commit 7f7941c2a65007579738d231426704ff0dd05cad
Author: Rostislav Reznichenko <rostislav.rezniche...@engagepoint.com>
Date:   2014-08-05T08:26:57Z

    Added OWASP encoder dependency

commit 7f186ee368fa83ef6e00615fc6644edef77d9b93
Author: Rostislav Reznichenko <rostislav.rezniche...@engagepoint.com>
Date:   2014-08-05T10:07:31Z

    camel-core: Encode data which used in java log (CWE ID 117)

----


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

Reply via email to