仅使用replaceAll("\ r"，"_").replaceAll("\ n"，"_")传递Veracode CWE 117(日志输出不正确中和) [英] Pass Veracode CWE 117 (Improper Output Neutralization for Logs) only with replaceAll("\r", "_").replaceAll("\n", "_")

问题描述

我在一些论坛上读到一个神话，那就是这样做足以通过Veracode CWE 117(日志输出不正确中和)问题.有人可以确认是否是这种情况吗?

I read on some forums the myth that it is enough to pass the Veracode CWE 117 (Improper Output Neutralization for Logs) issue by doing something like this. Can somebody confirm if this is the case or not ?

 message.replaceAll("\r", "_").replaceAll("\n", "_");

通过本主题如何修复VeracodeCWE 117(日志输出中和不当)，我知道我需要做这样的事情

From this topic How to fix Veracode CWE 117 (Improper Output Neutralization for Logs) , I understand that I need to do something like this

ESAPI.encoder().encodeForHTML(message);

推荐答案

消息需要转义以用于其所在的上下文.ESAPI记录器确实替换了 \ r 和\ n 字符以及为HTML编码(如果已配置).

The message needs to be escaped for the context which it is in. The ESAPI logger does replace the \r and \n characters as well as encode for html if configured to do so.

当前，这段代码为我提供了来自Veracode的CWE 117:

Currently this code gives me a CWE 117 from Veracode:

log.log(Level.WARNING, System.getenv("unsafe"));

此代码不:

log.log(Level.WARNING, ESAPI.encoder().encodeForHTML(System.getenv("unsafe")));

encodeForHTML将 \ r 和 \ n 编码为& #xd; 和 分别，但是下划线是恕我直言的清洁器，如果您解码了html，则可能会得到意想不到的新行.

encodeForHTML encodes \r and \n to 
 and 
 respectively, but an underscore is imho cleaner and if you decoded the html you may get unexpected new lines.

这篇关于仅使用replaceAll("\ r"，"_").replaceAll("\ n"，"_")传递Veracode CWE 117(日志输出不正确中和)的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！