'How to avoid CRLF (Carriage Return and Line Feed) in Logback - CWE 117

I'm using Logback and I need to avoid CRLF(Carriage Return and Line Feed) when I log a user parameter.
I tried to add my class, which extends ClassicConverter, on the static map PatternLayout.defaultConverterMap but It didn't work.

Thank you,

securitylogbackcarriage-returnlinefeedlog-forging


Solution 1:[1]

You should create a custom layout as described in logback documentation

Custom layout:

package com.foo.bar;

import ch.qos.logback.classic.PatternLayout;
import ch.qos.logback.classic.spi.ILoggingEvent;

public class RemoveCRLFLayout extends PatternLayout {

    @Override
    public String doLayout(ILoggingEvent event) {
        return super.doLayout(event).replaceAll("(\\r|\\n)", "");
    }

}

Logback configuration:

<encoder class="ch.qos.logback.core.encoder.LayoutWrappingEncoder">
    <layout class="com.foo.bar.RemoveCRLFLayout">
        <pattern>%d %t %-5p %logger{16} - %m%n</pattern>
    </layout>
</encoder>

Solution 2:[2]

ch.qos.logback.core.CoreConstants;

public static final String LINE_SEPARATOR = System.getProperty("line.separator");

ch.qos.logback.classic.pattern.LineSeparatorConverter:

public String convert(ILoggingEvent event) {
    return CoreConstants.LINE_SEPARATOR;
}

package ch.qos.logback.classic.PatternLayout:

    defaultConverterMap.put("n", LineSeparatorConverter.class.getName());

So the proper way to ensure fixed line ending is the property line.separator.

The same implementation is for java.lang.System.lineSeparator():

lineSeparator = props.getProperty("line.separator");

Solution 3:[3]

For a quick solution we used a %replace expression in our pattern, to replace line feed and carraige returns found in the message.

Note this example is using a Spring Boot property to set the pattern, but you can use %replace in your Logback config file the same way.

logging:
  pattern:
    console: "%d{yyyy-MM-dd HH:mm:ss.SSS} %-5level %logger - %replace(%msg){'\n|\r', '_'}%n"

(A custom converter would have been my first choice, but I had trouble getting it to work with Spring Boot and Spring Cloud Config. If you want to learn more about that approach, search the logback docs for conversionRule.)

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 bedrin
Solution 2 gavenkoa
Solution 3

Related Questions

Secure cookies flag always getting lost in first session after resetting IIS

How to show or hide contents of an aspx page based on current user's roles

protect images on webpage from being copied/saved?

Getting error "403 - Forbidden: Access is denied" on browser when user is NOT administrator

Disable SSLHandshakeException for a single connection

SSL certificate error for IE users only

How to access HttpContext and Request in RequireAssersion?

Send Public key(generated as seckeyref in iPhone) to server(in Java)

The EXECUTE permission is denied on the user-defined table types?

cannot commit or push using egit (guess: issues with secure storage area)

Authorisation in microservices - how to approach domain object or entity level access control using ACL?

Adding nonce value to @Scripts.Render ASP.Net MVC razor pages with NWebSec

SSL Java java.io.IOException: Invalid keystore format

preventing abuse of API service usage

Protecting or Licensing a Django Application