This whole problem sounds as follows: - we don't escape because we don't think we should use a pattern layout like this - an attacker sends data to the log - the log sends data to a processing system - if this processing issue has a flaw, bad things might happen
It does not sound like a widespread scenario, but a possible one. When I have learned one thing, it is we should not assume to know how a user might use a component. Even when we don't recommend this format for machine2machine, people still do it. I assume we could quickly make log4j safer by adding an encoder, as suggested by Vladimir, so my question is, why should we not do it? Kind regards, Christian On Thu, Oct 12, 2023, at 18:37, Klebanov, Vladimir wrote: > Hi Volkan, > > It's not just about exchanging data between systems - that is just one > particular instance of a larger problem. If you use a pattern layout > for _any_ reason, it is currently extremely inconvenient to configure > securely. If you use a structured layout, again for any reason, it's > still inconvenient to configure securely, though indeed less so than a > pattern layout. My understanding is that not everyone can, will, or > should always use a structured layout over a pattern layout. For > entertainment, I have collected some layout statistics, which I include > below. > > For the pattern layout case, I have prototyped improved encoders that > can be used with log4j. The code has already been shared with you, > though it will obviously need (lots of) discussion. I am happy to > continue discussing the topic / working on the code with anyone who > finds it worthwhile. > > Thanks, > Vladimir > > Statistics: The dataset is certainly debatable, but it's the best one I > have. Out of the top 1000 starred Java repositories on GitHub, 89 > contain a file log4j2.xml with at least one element matching .*Layout. > Out of these 89 repos, every single one defines at least one pattern > layout. Only two repos out of 89 define a layout that is not a pattern > layout: one repo a JSONLayout and one a StackdriverLayout. > > > -----Original Message----- > From: Volkan Yazıcı <vol...@yazi.ci> > Sent: Wednesday, 11 October 2023 11:32 > To: dev@logging.apache.org > Subject: Re: [log4j] Improving log4j security > > Your use case sounds to me as follows: "I want to use `PatternLayout` for > exchanging data between two systems and ... [it is insecure.]" (Please > correct me if I am wrong.) My answer is: "Don't". > > `PatternLayout` is not designed to be machine-readable. If I am not > mistaken, there is not even a standard format for stack traces. Consider > ones generated from exceptions containing messages with newline characters. > How are you gonna deal with parsing those? Or thread names, custom levels, > custom markers, etc. with a newline? My point is, don't use `PatternLayout` > for exchanging data between systems. For that purpose, we recommend using > structured layouts, e.g., `JsonTemplateLayout`. ELK, Splunk, Datadog, > NewRelic, etc. they all accept JSON. > > In conclusion, I recommend you to use JTL for publishing logs to other > systems. If you have `PatternLayout` [encoder?] enhancements that we can > incorporate in a backward-compatible way, please share.
