Regular Expression Qusetion(about search key word)

Question

I use Eclipse to develop my web project,and use HP fortify scan my JAVA source code. The report show that I have 7200 A1 Inject issue(Log forging).

the sample code show logger.info will cause log forging

public void storedProcedure(HttpServletResponse response,
                            @RequestParam("idn") String idn, 
                            @RequestParam("agentNo")String agentNo){
    logger.info("call  idn :" + idn + ",agentNo="+agentNo); // log forging 
}

And then,I find a solution use Spring framework HtmlUtil to escape but too many code Scattered anywhere. I want to change to logger for

logger.info("call  idn :" + HtmlUtil.htmlEscape(idn) 
            ",agentNo=" + HtmlUtil.htmlEscape(agentNo));

How can I use regular expression to find the line start with logger.info and find all the "+" variables replace HtmlUtil.htmlEscpse(variable)?

So, are you looking for help in solving log forging (there are better way that is less intrusive to your code), or do you simply want the regex to do replace? — Adrian Shum, Aug 16 '16 at 08:21
I use many ways to avoid HP fortify scan, but it's not success.Do u have another way to solve? — Hamilton Lin, Aug 16 '16 at 10:18
Are you trying to avoid the fortify scan, or to avoid log forging? I kind of remember HP fortify scan for real runtime behavior (right?) If so, I guess you can probably fix the log forging problem. But this is better to be a separate question (as you are asking regex in current question, though in a messy way) — Adrian Shum, Aug 16 '16 at 10:44
To properly handle log forging, in brief, I assume you are using LogBack (I guess it is do-able in most other logging backends), you can simply develop a custom layout, for which can replace a multi-line log message with some kind of prefix etc for every new line, so forged log message will is distinguishable from real ones — Adrian Shum, Aug 16 '16 at 10:47
I am not sure how far can HP fortify analyse but it is definitely a better way to tackle log forging than polluting your code everywhere with `HtmlUtil.htmlEscape` — Adrian Shum, Aug 16 '16 at 10:48
I use some better way in solving log forging,such as overriding java apache log4j to extend my method,or use ESAPI library to filter some word.BUT!!!For fortify scan,the report never success in log forging. — Hamilton Lin, Aug 17 '16 at 02:22
SO,I think the best way pass the report has two way.1 is Cancel my all of my project logger.info. 2 is adding spring HTMLUtil to filter some variables is successful in passing Fortity. — Hamilton Lin, Aug 17 '16 at 02:23
I believe you need to tell fortify that the code is cleansing the data. e.g. http://stackoverflow.com/questions/12784707/log-forging-fortify-fix — Adrian Shum, Aug 17 '16 at 02:45
The software is mainly controlled by our contractor. Thus I can NOT manipulate fortify. What I can do is to modify the error after they scan it. Is anyone can help me figure the best way to reduce the error according to my restricted condition? — Hamilton Lin, Aug 17 '16 at 03:16
This question is not appropriate to further discuss on this. Raise a proper question instead — Adrian Shum, Aug 17 '16 at 03:40
I need a best way to solve my question,not as you say"tell fortify that the code is cleansing".Raise a proper solution instead. — Hamilton Lin, Aug 17 '16 at 04:00
This question you are asking for regular expression. Either fix your question with proper title, content and tags, or create a new question for it. StackOverflow is not for someone to discussion on a vague question. That's why I asked in very beginning: What are you trying to ask in this question — Adrian Shum, Aug 17 '16 at 04:08
The easiest way for you should be a little wrapper of logger to be used in all of your controllers, which internally calls `HtmlUtil.htmlEscpse` to cleanse input — Adrian Shum, Aug 17 '16 at 09:40

vsminkov · Accepted Answer · 2016-08-16T07:51:42.017

If you really need less code then I'd suggest you to do a helper

public static String[] htmlEscape(final String... args) {
     return Arrays.stream(args)
                  .map(HtmlUtil::htmlEscape)
                  .toArray(String[]::new);
}

And use it this way

if (logger.isInfoEnabled()) {
    logger.info("call  idn:{}, agentNo={}", htmlEscape(idn, agentNo));
}

Note a call to isInfoEnabled. It prevents you from doing unnecessary arguments escaping if INFO loglevel is disabled. You can reduce this cpu overhead by a bit increased memory usage by using this tricky way to make it htmlEscape lazy evaluated

public static Object[] lazyHtmlEscape(final String... args) {
     return Arrays.stream(args)
                  .map(arg -> new Object {
                      @Override
                      public String toString() {
                          // here argument will be escaped only if
                          // toString method will be called
                          // (that happens if loglevel is enabled)
                          return HtmlUtil.htmlEscape(e);
                      }
                  })
                  .toArray();
}

logger.info("call  idn:{}, agentNo={}", lazyHtmlEscape(idn, agentNo));

Very nice,thanks.I think I have to close INFO level log that you say. — Hamilton Lin, Aug 18 '16 at 02:01
@HamiltonLin sure! take a look here at [this](https://gist.github.com/KetothXupack/de1bf4130bfa5cb0dac9639d1b0f50f5) gist. — vsminkov, Aug 19 '16 at 13:59

Regular Expression Qusetion(about search key word)

1 Answers1