Skip to content

Improper Output Neutralization for Logs [VID:117:github.com/govwa/util/middleware/middleware.go:24] #7

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
veracode-workflow-app bot opened this issue Mar 3, 2025 · 0 comments
Open

Improper Output Neutralization for Logs [VID:117:github.com/govwa/util/middleware/middleware.go:24] #7

veracode-workflow-app bot opened this issue Mar 3, 2025 · 0 comments
Labels
Veracode Pipeline Scan A Veracode Flaw found during a Pipeline Scan VeracodeFlaw: Medium A Veracode Flaw, Medium severity

Comments

@veracode-workflow-app
Copy link

govwa//util/middleware/middleware.go

Lines 19 to 29 in 06b43e3

func (self *Class) LoggingMiddleware(h httprouter.Handle) httprouter.Handle {
return func(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
start := time.Now()
log.Printf("Request From %s", r.Header.Get("User-Agent"))
log.Printf("Started %s %s", r.Method, r.URL.Path)
h(w, r, ps)
log.Printf("Completed %s in %v", r.URL.Path, time.Since(start))
}
}

Filename: github.com/govwa/util/middleware/middleware.go

Line: 24

CWE: 117 (Improper Output Neutralization for Logs)

This call to log::Printf() could result in a log forging attack. Writing untrusted data into a log file allows an attacker to forge log entries or inject malicious content into log files. Corrupted log files can be used to cover an attacker's tracks or as a delivery mechanism for an attack on a log viewing or processing utility. For example, if a web administrator uses a browser-based utility to review logs, a cross-site scripting attack might be possible. The second argument to Printf() contains tainted data. The tainted data originated from an earlier call to github.com.govwa.util.middleware.!FuncLit6392418c.!func. Avoid directly embedding user input in log files when possible. Sanitize untrusted data used to construct log entries by using a safe logging mechanism such as the OWASP ESAPI Logger, which will automatically remove unexpected carriage returns and line feeds and can be configured to use HTML entity encoding for non-alphanumeric data. Alternatively, some of the XSS escaping functions from the OWASP Java Encoder project will also sanitize CRLF sequences. Only create a custom blocklist when absolutely necessary. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP Supported Cleansers/nDon't know how to fix this? Don't know why this was reported?
Get Assistance from Veracode
@veracode-workflow-app veracode-workflow-app bot added Veracode Pipeline Scan A Veracode Flaw found during a Pipeline Scan VeracodeFlaw: Medium A Veracode Flaw, Medium severity labels Mar 3, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Veracode Pipeline Scan A Veracode Flaw found during a Pipeline Scan VeracodeFlaw: Medium A Veracode Flaw, Medium severity
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
0 participants