Java Developer Tools

Audit - Rules - Logging

Description
This group contains audit rules that check for correct usage of various logging frameworks.

Subcategories:
Rules:

Details

Log Forging

Summary
User input might be getting used to write directly to a log.

Description
Log Forging occurs when user input is printed directly to a log or as part of a log.

To detect violations, this audit rule searches the code for logging statements such as logger.log(..) and traces where the logging string could have come from. In cases where the source of the path is user input, such as data from a servlet request, javax.servlet.ServletRequest.getParameter(java.lang.String), or from a SWT Text widget, org.eclipse.swt.widgets.Text.getText(), a violation is created.

These two sets of methods, the locations where tainted user data can come from and the methods used to create paths, are editable by the user. If methods are missing that are in a common package (such as java.lang.*), please let CodePro support know.

Security Implications
When a malicious user can enter information directly into the log, the application logging utility can become compromised.

Example
The invocation of log(..) would be flagged as a violation since it uses the user name information passed from a servlet request:

    ServletRequest servletRequest = ...;
    Logger logger = ...;
    Level level = ...;
    String userName = servletRequest.getParameter("userName");
    String logMessage = "User input the following user name: " + userName;
    logger.log(level,logMessage);

More Than One Logger

Summary
Use one shared logger instance per class.

Description
Using more than one logger instance per class is sometimes considered a bad coding style. This rule will create a violation for each class that has more than one logger instance defined.

Example
The following class declaration would be flagged as a violation because it contains more than one logger:

    public class Something {
        private static final Log errorsLogger = LogFactory.getLog(Something.class);
        private static final Log accessLogger = LogFactory.getLog(Something.class);
    }

Non Static Logger

Authentication required

You need to be signed in with Google+ to do that.

Signing you in...

Google Developers needs your permission to do that.