Marcono1234 created LOG4J2-3037:
-----------------------------------
Summary: Add methods for logging untrusted arguments
Key: LOG4J2-3037
URL: https://issues.apache.org/jira/browse/LOG4J2-3037
Project: Log4j 2
Issue Type: Improvement
Components: API
Reporter: Marcono1234
While LOG4J2-2511 would prevent log injection, it appears Log4j 2 does not
provide any safe means for logging untrusted (potentially malicious) data
without it messing with the output. Simply not logging such data is often not
an option, because it is important to understand which steps an adversary took.
It would therefore be good if Log4j 2 provided logging methods for untrusted
data, which escape any potentially malicious input.
Adding such methods to {{Logger}} is probably not an option because it would
further bloat the API, making it less usable. However, maybe such methods could
be added to {{LogBuilder}}.
The following API would allow this (and could unrelated to this request also
support logging primitive arguments without boxing):
{code}
interface LogBuilder {
interface MessageWithArgsBuilder {
MessageWithArgsBuilder withArg(Object arg);
MessageWithArgsBuilder withUntrustedArg(Object arg);
void log();
}
MessageWithArgsBuilder withMessage(String messageTemplate);
}
{code}
The usage would then look like this:
{code}
logger.atWarn()
.withMessage("User provided invalid argument {} to service {}")
.withUntrustedArg(arg)
.withArg(service)
.log();
{code}
The implementation of {{withUntrustedArg}} would then only allow a subset of
the ASCII chars, encasing the argument with double quotes {{"}}, and replacing
any non allowed characters with their Unicode escape sequence {{\uXXXX}},
adding to any existing escape sequences an additional {{u}}, e.g.
{noformat}
test" \u1234
{noformat}
would become
{noformat}"test\u0022 \uu1234"
{noformat}
in the output.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
