如何在C#中修复日志伪造 [英] How to fix log forging in C#

问题描述

我正在使用Log4net登录到我的Web api应用程序.我正在使用以下代码在数据库中记录警告和错误.

I am using Log4net for logging into my web api application. I am using below code to log warnings and error in database.

public async Task<int> ExecuteNonQuery(string procedureName,params SqlParameter[] parameters)
{
try
{
  this.logger.DebugFormat("{0} stating call",procedureName);
  ......
  ......
  ......
}

further code

当我进行强化扫描时，它给了我日志伪造的问题.有什么办法可以解决这个问题吗?我尝试使用下面的代码，但没有成功

When i ran fortify scan it gives me log forging issue. Is there any idea how we can resolve this issue. I tried below code but didn't work

  procedureName = Regex.Replace(procedureName, "[^ A - Za - z0 - 9 $]", string.Empty);

推荐答案

Fortify防范日志伪造/日志注入，在这种情况下，恶意用户可能会将未经转义的输入写入您的日志文件，从而将未经转义的输入输入到您的系统中.这样做的想法是添加误导性的日志条目，从而使自动或手动的入侵检测或入侵调查尝试脱离恶意用户的气味以及他们真正想要实现的目标.

Fortify is guarding against Log Forging/Log Injection, where a malicious user could get unescaped input into your system in such a way that it's written to your log file. The idea would be to add in mis-leading log entries that would throw automated or manual intrusion detection or intrusion investigation attempts off the scent of the malicious user and what they are really trying to accomplish.

为了解决这个问题，必须仔细控制最终在日志文件中使用了用户输入的哪些部分.如何执行此操作取决于您的严格程度.您可以简单地转出日志中的所有用户输入，删除换行符或控制字符之类的内容.极其严格地说，一个用户将从其日志记录语句中删除所有用户输入，并使用一组预先开发的事件，这些事件构成了可以在系统中记录的事件的白名单".

In order to combat this, one must carefully control which portions of user input end up being used in a log file. How to do this varies by how strict you are. You could simply escape all user input in your log, stripping out things like newlines or control characters. To be extremely strict, one removes all user input from their logging statements and uses a set of pre-developed events that form a "whitelist" of events that can be logged in the system.

在您的情况下，听起来好像Fortify不够聪明，无法知道procedureName是否来自用户输入，因此它会将您的日志记录语句标记为可能包含动态/用户内容.如果您肯定知道procedureName的来源，则可以将其视为假阳性而将其忽略.否则，您可以使用我列出的一种缓解技术，以使您的日志记录语句更安全.

In your case, it sounds like Fortify isn't smart enough to know if procedureName comes from user input or not, so it flags your logging statement as potentially containing dynamic/user content. If you are positive that you know where procedureName comes from, then you can ignore this as a false positive. Otherwise, you can use one of the mitigation techniques I've listed to make your logging statement more secure.

这篇关于如何在C#中修复日志伪造的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！