andrewmusselman opened a new issue, #536:
URL: https://github.com/apache/tooling-trusted-releases/issues/536
## Summary
The application's logging infrastructure does not sanitize user-controlled
input, allowing attackers to forge log entries, hide malicious activity, or
break log parsing.
## ASVS Requirements
- 16.4.1 - Log encoding to prevent injection (L2)
*Note: This finding was originally mapped to 7.3.2 in the L1 audit, but
7.3.2 actually covers absolute session lifetime (L2). Log injection prevention
is covered by 16.4.1 (L2). Leaving this here for when we generate L2 issues*
## Related Audit Reports
- [Universal Spoofing #401](ASVS/universal-spoofing-401.md) - Section 1
*(Note: 7.3.2 removed from L1 scope)*
## Affected Files
- `atr/log.py` (lines 133-143)
- `atr/ssh.py` (lines 61, 72, 84, 219) - Critical: raw SSH commands logged
## Current Behavior
```python
def _event(level: int, msg: str, stacklevel: int = 3, exc_info: bool =
False) -> None:
logger = _caller_logger(depth=3)
logger.log(level, msg, stacklevel=stacklevel, exc_info=exc_info)
# No sanitization of msg parameter
```
## Attack Vector
```python
# Malicious username:
"admin\n[2024-01-01 12:00:00] CRITICAL <security> System compromised"
# Creates forged log entry appearing legitimate
```
## Recommended Fix
```python
import re
def _sanitize_log_message(msg: str) -> str:
"""Sanitize message to prevent log injection attacks."""
# Remove control characters except tab
msg = re.sub(r'[\x00-\x08\x0b-\x0c\x0e-\x1f\x7f-\x9f]', '', msg)
# Escape newlines
msg = msg.replace('\r\n', '\\r\\n')
msg = msg.replace('\n', '\\n')
msg = msg.replace('\r', '\\r')
return msg
def _event(level: int, msg: str, stacklevel: int = 3, exc_info: bool =
False) -> None:
logger = _caller_logger(depth=3)
sanitized_msg = _sanitize_log_message(msg)
logger.log(level, sanitized_msg, stacklevel=stacklevel,
exc_info=exc_info)
```
## Acceptance Criteria
- [ ] Log sanitization function implemented
- [ ] Applied to all log calls in `_event()` function
- [ ] SSH command logging sanitized
- [ ] External data source logging sanitized
- [ ] Unit tests for log injection prevention
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
