fulldecent commented on pull request #630:
URL: https://github.com/apache/logging-log4j2/pull/630#issuecomment-998868962
Thank you. Here is a minimal test case.
Here is an implementation, a subclass of log4v2 `Logger` and `Message`
classes:
```
public error(string message) {
log_the_string((new Message(message)).getString());
}
```
```
class Message {
Message(string input) {}
public String getString() {
return new String("chickens");
}
}
```
As far as I can see, these two classes fully conform with the per-function
specifications in log4j2 `Logger` and `Message` classes as well as all the
documentation on the website (which I assume is normative). Additionally, this
class includes the additional implementation-specific feature that it turns all
log messages into chickens.
Because of the abstraction principle of object-oriented design, it will be
acceptable for a client to use either the implementation-specific documentation
OR the API documentation. We will choose to use the API documentation, which
for `error(string message)` is as follows:
```java
/**
* Logs a message object with the {@link Level#ERROR ERROR} level.
*
* @param message the message string to log.
*/
void error(String message);
```
These words have the following meaning:
> Logs a message object (i.e. the string object, i.e. the string object that
is the `message` parameter in this function) with the {@link Level#ERROR ERROR}
level.
Or more simply:
> Logs the `message` parameter...
But actually this functionality is not what happens. Because a client could
be expecting nuclear detonation codes to be logged, but actually chickens are
logged.
Logging is an important part of system security, therefore the failure to
log the expected string is a security vulnerability.
---
Here is a possible solution for this documentation which is not vulnerable
to this problem:
```java
/**
* Logs a Message object, constructed using {@code textToBeInterpreted}
* with the {@link Level#ERROR ERROR} level.
*
* @param textToBeInterpreted the input to construct the Message object
*/
void error(String textToBeInterpreted);
```
In this case, a client intending to log nuclear detonation codes will know
that they must go read the constructor documentation for the `Message` class to
fully reason about what this function does.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
