仅使用 replaceAll(" ", "_").replaceAll(" ", "_") 通过 Veracode CWE 117(不正确的日志输出中和) [英] Pass Veracode CWE 117 (Improper Output Neutralization for Logs) only with replaceAll(" ", "_").replaceAll(" ", "_")

问题描述

我在一些论坛上读到一个神话，即通过执行此类操作就足以通过 Veracode CWE 117(日志的不当输出中和)问题.有人可以确认是否是这种情况吗?

I read on some forums the myth that it is enough to pass the Veracode CWE 117 (Improper Output Neutralization for Logs) issue by doing something like this. Can somebody confirm if this is the case or not ?

 message.replaceAll("
", "_").replaceAll("
", "_");

来自本主题 如何修复 VeracodeCWE 117(不正确的日志输出中和)，我知道我需要做这样的事情

From this topic How to fix Veracode CWE 117 (Improper Output Neutralization for Logs) , I understand that I need to do something like this

ESAPI.encoder().encodeForHTML(message);

推荐答案

消息需要针对它所在的上下文进行转义. ESAPI 记录器确实替换了 和 字符以及对 html 进行编码(如果配置为这样做).

The message needs to be escaped for the context which it is in. The ESAPI logger does replace the and characters as well as encode for html if configured to do so.

目前这段代码给了我一个来自 Veracode 的 CWE 117:

Currently this code gives me a CWE 117 from Veracode:

log.log(Level.WARNING, System.getenv("unsafe"));

此代码不会:

log.log(Level.WARNING, ESAPI.encoder().encodeForHTML(System.getenv("unsafe")));

encodeForHTML 将 和 编码为 
 和 
分别，但下划线更简洁，如果您解码 html，您可能会得到意想不到的新行.

encodeForHTML encodes and to 
 and 
 respectively, but an underscore is imho cleaner and if you decoded the html you may get unexpected new lines.

这篇关于仅使用 replaceAll(" ", "_").replaceAll(" ", "_") 通过 Veracode CWE 117(不正确的日志输出中和)的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！