Spring 引导:CRLF - 在 REST 中安全地记录负载 API
Spring Boot: CRLF - Securely log payload in REST API
我有一个 Spring 启动应用程序,它公开了一个 REST API。我需要记录负载,以便能够在 API 调用的 JSON 中找到错误。
我有 运行 一个代码分析工具,当我记录有效负载时,它会报告以下安全风险。
https://find-sec-bugs.github.io/bugs.htm#CRLF_INJECTION_LOGS
如何防止代码注入?我想删除新行只能防止伪造的日志条目,不能防止代码注入?
休息 API:
@PostMapping("/my/api")
public ResponseEntity<String> handleApi(@RequestBody Body body) {
有效负载日志记录:
@Slf4j
public class CustomRequestLoggingFilter extends AbstractRequestLoggingFilter {
private static final int MAX_PAYLOAD_LENGTH = 64000;
public CustomRequestLoggingFilter() {
this.setIncludeQueryString(true);
this.setIncludePayload(true);
this.setMaxPayloadLength(MAX_PAYLOAD_LENGTH);
}
@Override
public void afterRequest(HttpServletRequest request, String message) {
if (request.getRequestURI().equals("/my/api")) {
log.info(message); //This is the security risk
}
}
链接的报告建议可能 solution 替换换行符以消除风险:
log.info(message.replaceAll("[\r\n]",""));
You can manually sanitize each parameter.
log.info("User " + val.replaceAll("[\r\n]","") + " (" + userAgent.replaceAll("[\r\n]","") + ") was not authenticated");
或使用其他 solutions 更改您的日志记录配置:
You can also configure your logger service to replace new line for all message events. Here is sample configuration for LogBack using the replace function.
<pattern>%-5level - %replace(%msg){'[\r\n]', ''}%n</pattern>
Finally, you can use a logger implementation that replace new line by spaces. The project OWASP Security Logging has an implementation for Logback and Log4j.
您可以尝试使用 OWASP Json Sanitizer 库 (https://owasp.org/www-project-json-sanitizer/migrated_content) 在记录输入之前清理和消毒 Json 输入。如果您不担心向您的项目添加额外的 3rd 方依赖项。
注意:该库的最后一次发布是在 2021 年 1 月 11 日
示例:
@Override
public void afterRequest(HttpServletRequest request, String message) {
if (request.getRequestURI().equals("/my/api")) {
String sanitizedJson = JsonSanitizer.sanitize(message);
log.info(sanitizedJson );
}
}
我有一个 Spring 启动应用程序,它公开了一个 REST API。我需要记录负载,以便能够在 API 调用的 JSON 中找到错误。 我有 运行 一个代码分析工具,当我记录有效负载时,它会报告以下安全风险。 https://find-sec-bugs.github.io/bugs.htm#CRLF_INJECTION_LOGS
如何防止代码注入?我想删除新行只能防止伪造的日志条目,不能防止代码注入?
休息 API:
@PostMapping("/my/api")
public ResponseEntity<String> handleApi(@RequestBody Body body) {
有效负载日志记录:
@Slf4j
public class CustomRequestLoggingFilter extends AbstractRequestLoggingFilter {
private static final int MAX_PAYLOAD_LENGTH = 64000;
public CustomRequestLoggingFilter() {
this.setIncludeQueryString(true);
this.setIncludePayload(true);
this.setMaxPayloadLength(MAX_PAYLOAD_LENGTH);
}
@Override
public void afterRequest(HttpServletRequest request, String message) {
if (request.getRequestURI().equals("/my/api")) {
log.info(message); //This is the security risk
}
}
链接的报告建议可能 solution 替换换行符以消除风险:
log.info(message.replaceAll("[\r\n]",""));
You can manually sanitize each parameter.
log.info("User " + val.replaceAll("[\r\n]","") + " (" + userAgent.replaceAll("[\r\n]","") + ") was not authenticated");
或使用其他 solutions 更改您的日志记录配置:
You can also configure your logger service to replace new line for all message events. Here is sample configuration for LogBack using the replace function.
<pattern>%-5level - %replace(%msg){'[\r\n]', ''}%n</pattern>
Finally, you can use a logger implementation that replace new line by spaces. The project OWASP Security Logging has an implementation for Logback and Log4j.
您可以尝试使用 OWASP Json Sanitizer 库 (https://owasp.org/www-project-json-sanitizer/migrated_content) 在记录输入之前清理和消毒 Json 输入。如果您不担心向您的项目添加额外的 3rd 方依赖项。
注意:该库的最后一次发布是在 2021 年 1 月 11 日
示例:
@Override
public void afterRequest(HttpServletRequest request, String message) {
if (request.getRequestURI().equals("/my/api")) {
String sanitizedJson = JsonSanitizer.sanitize(message);
log.info(sanitizedJson );
}
}