[jira] [Commented] (LOG4J2-3037) Add methods for logging untrusted arguments

Fri, 21 Jan 2022 20:22:07 -0800 


    [ 
https://issues.apache.org/jira/browse/LOG4J2-3037?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17480342#comment-17480342
 ] 

Matt Sicker commented on LOG4J2-3037:
-------------------------------------

This still seems relevant, though with the message lookup thing already being 
fixed, I'm not sure if there's much that can be done with user input for things 
like PatternLayout (maybe removing newlines?).

> Add methods for logging untrusted arguments
> -------------------------------------------
>
>                 Key: LOG4J2-3037
>                 URL: https://issues.apache.org/jira/browse/LOG4J2-3037
>             Project: Log4j 2
>          Issue Type: Improvement
>          Components: API
>            Reporter: Marcono1234
>            Priority: Major
>
> While LOG4J2-2511 would prevent log injection, it appears Log4j 2 does not 
> provide any safe means for logging untrusted (potentially malicious) data 
> without it messing with the output. Simply not logging such data is often not 
> an option, because it is important to understand which steps an adversary 
> took.
> It would therefore be good if Log4j 2 provided logging methods for untrusted 
> data, which escape any potentially malicious input.
> Adding such methods to {{Logger}} is probably not an option because it would 
> further bloat the API, making it less usable. However, maybe such methods 
> could be added to {{LogBuilder}}.
> The following API would allow this (and could unrelated to this request also 
> support logging primitive arguments without boxing):
> {code}
> interface LogBuilder {
>     interface MessageWithArgsBuilder {
>         MessageWithArgsBuilder withArg(Object arg);
>         MessageWithArgsBuilder withUntrustedArg(Object arg);
>         void log();
>     }
>     MessageWithArgsBuilder withMessage(String messageTemplate);
> }
> {code}
> The usage would then look like this:
> {code}
> logger.atWarn()
>   .withMessage("User provided invalid argument {} to service {}")
>   .withUntrustedArg(arg)
>   .withArg(service)
>   .log();
> {code}
> The implementation of {{withUntrustedArg}} would then only allow a subset of 
> the ASCII chars, encasing the argument with double quotes {{"}}, and 
> replacing any non allowed characters with their Unicode escape sequence 
> {{\uXXXX}}, adding to any existing escape sequences an additional {{u}}, e.g.
> {noformat}
> test" \u1234
> {noformat}
> would become
> {noformat}"test\u0022 \uu1234"
> {noformat}
> in the output.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Reply via email to