github-advanced-security[bot] commented on code in PR #922:
URL: https://github.com/apache/syncope/pull/922#discussion_r1861930922
##########
fit/build-tools/src/main/java/org/apache/syncope/fit/buildtools/cxf/ProvisioningImpl.java:
##########
@@ -68,7 +68,7 @@
statement.setString(1, accountid);
String query = "DELETE FROM testuser WHERE userId='" +
accountid + "';";
- LOG.debug("Execute query: " + query);
+ LOG.debug("Execute query: {}", query);
Review Comment:
## Log Injection
This log entry depends on a [user-provided value](1).
[Show more
details](https://github.com/apache/syncope/security/code-scanning/1700)
##########
core/provisioning-api/src/main/java/org/apache/syncope/core/provisioning/api/jexl/JexlUtils.java:
##########
@@ -107,7 +107,7 @@
getJexlEngine().createExpression(expression);
result = true;
} catch (JexlException e) {
- LOG.error("Invalid JEXL expression: " + expression, e);
+ LOG.error("Invalid JEXL expression: {}", expression, e);
Review Comment:
## Insertion of sensitive information into log files
This [potentially sensitive information](1) is written to a log file.
[Show more
details](https://github.com/apache/syncope/security/code-scanning/1698)
##########
core/provisioning-api/src/main/java/org/apache/syncope/core/provisioning/api/jexl/JexlUtils.java:
##########
@@ -122,7 +122,7 @@
JexlExpression jexlExpression =
getJexlEngine().createExpression(expression);
result = jexlExpression.evaluate(jexlContext);
} catch (Exception e) {
- LOG.error("Error while evaluating JEXL expression: " +
expression, e);
+ LOG.error("Error while evaluating JEXL expression: {}",
expression, e);
Review Comment:
## Insertion of sensitive information into log files
This [potentially sensitive information](1) is written to a log file.
[Show more
details](https://github.com/apache/syncope/security/code-scanning/1699)
##########
fit/build-tools/src/main/java/org/apache/syncope/fit/buildtools/cxf/ProvisioningImpl.java:
##########
@@ -345,7 +345,7 @@
statement = conn.prepareStatement("SELECT roleName FROM role
WHERE roleName=?");
statement.setString(1, username);
final String roleQuery = "SELECT roleName FROM role WHERE
roleName='" + username + "';";
- LOG.debug("Execute query: " + roleQuery);
+ LOG.debug("Execute query: {}", roleQuery);
Review Comment:
## Log Injection
This log entry depends on a [user-provided value](1).
[Show more
details](https://github.com/apache/syncope/security/code-scanning/1703)
##########
fit/build-tools/src/main/java/org/apache/syncope/fit/buildtools/cxf/ProvisioningImpl.java:
##########
@@ -322,7 +322,7 @@
@Override
public String resolve(final String username) throws ProvisioningException {
- LOG.debug("Resolve request operation received: " + username);
+ LOG.debug("Resolve request operation received: {}", username);
Review Comment:
## Log Injection
This log entry depends on a [user-provided value](1).
[Show more
details](https://github.com/apache/syncope/security/code-scanning/1701)
##########
fit/build-tools/src/main/java/org/apache/syncope/fit/buildtools/cxf/ProvisioningImpl.java:
##########
@@ -333,7 +333,7 @@
statement.setString(1, username);
String query = "SELECT userId FROM testuser WHERE userId='" +
username + "';";
- LOG.debug("Execute query: " + query);
+ LOG.debug("Execute query: {}", query);
Review Comment:
## Log Injection
This log entry depends on a [user-provided value](1).
[Show more
details](https://github.com/apache/syncope/security/code-scanning/1702)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscr...@syncope.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
