Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Java] CWE-117: CodeQL query to detect Log Injection #144

Open
1 task done
dellalibera opened this issue Jul 2, 2020 · 5 comments
Open
1 task done

[Java] CWE-117: CodeQL query to detect Log Injection #144

dellalibera opened this issue Jul 2, 2020 · 5 comments

Comments

@dellalibera
Copy link

dellalibera commented Jul 2, 2020
edited
Loading

CVE ID(s)

List the CVE ID(s) associated with this vulnerability. GitHub will automatically link CVE IDs to the GitHub Advisory Database.

  • There is no CVE for this.

Report

Log Injection query is available in c# query, javascript (experimental) query but it is not available in java query.
I created a query to detect a log injection vulnerability in java code.

Link to the PR: PR github/codeql#3882

  • Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc). We would love to have you spread the word about the good work you are doing

Result(s)

The query was able to detect a potential Log Forging (now fixed) in the generator-jhipster project.
This is the PR fixing the potential Log Forging: prevent potential log forging, and here the fixed code https://github.com/jhipster/generator-jhipster/pull/11708/files.

To test the query, I used the vulnerable version of that file. I created a project using jhipster (Creating an application), and then I run the query on the project already created; the query was able to detect the vulnerability mentioned in the PR (once I created the project, before generating the database, I replaced the fixed code, with its previous version).

There is also a CVE (another project): CVE-2020-4072: Log Forging in generator-jhipster-kotlin, that mentions the equivalent java file of the generator-jhipter project: commit: prevent log forging when doing password reset init request.
@dellalibera dellalibera added the All For One Submissions to the All for One, One for All bounty label Jul 2, 2020
@kevinbackhouse
Copy link
Contributor

Hi @dellalibera. It looks like this one hasn't made any progress since last year. Is it ok if I drop it from our bounty pipeline for now? You can resubmit it when it's ready.

@kevinbackhouse kevinbackhouse removed the All For One Submissions to the All for One, One for All bounty label Jan 14, 2021
@ghsecuritylab
Copy link
Collaborator

Your submission is now in status Closed.

For information, the evaluation workflow is the following:
CodeQL initial assessment > SecLab review > CodeQL review > SecLab finalize > Pay > Closed

@dellalibera
Copy link
Author

Hi @kevinbackhouse , yes sure. Feel free to close this issue. Hopefully, I will continue to work on the PR later this year.

@porcupineyhairs
Copy link

@dellalibera Do you mind if I take this up then?

@porcupineyhairs porcupineyhairs mentioned this issue Feb 4, 2021
Merged
@xcorail
Copy link
Contributor

xcorail commented Feb 4, 2021

@porcupineyhairs please create a new issue ... I don't know how our internal tracking will work :)
And close this one once done

@porcupineyhairs porcupineyhairs mentioned this issue Feb 4, 2021
Closed
@pwntester pwntester mentioned this issue Jul 13, 2021
Closed
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@kevinbackhouse @xcorail @dellalibera @ghsecuritylab @porcupineyhairs