Java – log forging enhanced repair

I'm using fortify SCA to find security issues in my application (as a college assignment) I encountered some "log forgery" problems I couldn't get rid of

Basically, I record some values from the user's input from the web interface:

logger.warn("current id not valid - " + bean.getRecordId()));

Fortify treats this report as a log forgery problem because getrecordid() returns a user input

I have followed this article. I replaced the "new line" with spaces, but there are still reports

logger.warn("current id not valid - " + Util.replaceNewLine(bean.getRecordId()));

Can anyone come up with a solution to this problem?

Solution

I'm actually the author of the article you used to solve the log injection problem I hope this is helpful

Vitaly is right about fortify Fortify needs to create a custom rule

It may be a data flow cleanup rule A basic example can be found here: http://www.cigital.com/newsletter/2009-11-tips.php. If you have fortify, you should have a custom rule writing guide in your product documentation

I don't know what stain you will use, but it will look like "- log_forming" When the data passes through your utility method, you will basically write a rule to remove the log forgery "stain" Fortify assumes that any data passing through the data can now be safely written to the log without causing log forgery