checkmarx cannot see the code in static method

Question

Checkmarx does not understand static method.

String journeyId = request.getHeader("JOURNEY_ID");
journeyId = LogUtils.getUserInputText(journeyId);
LOGGER.info("journeyId=" + journeyId);

For the code above, Checkmarx always complains there is Log Forging because it thought journeyId is from user input. But the LogUtils.getUserInputText only allows return ascii text. But Checkmarx does not recognize that. Then I did this test

String myJourneyId1 = request.getHeader("JOURNEY_ID");
LogUtils logUtils = new LogUtils();
myJourneyId1 = logUtils.getUserInputText(myJourneyId1);
LOGGER.info("myJoruneyId1=" + myJourneyId1);

I did not change anything on LogUtils. I only instance it before I call the static method and now Checkmarx does not complain anymore.

Here is the getUserInputText

public static String getUserInputText(final String input) {
        if (StringUtils.isBlank(input)) {
            return "";
        }
        
        return input.replaceAll("[^\\x20-\\x7E]", "\\uFFFD");
    }

It does not matter what is inside the getUserInputText. Checkmarx complains the first one but not the second one. They are calling the same function.

To be honest, I am quite frustrated on this. It wasted my whole afternoon to test why my fix did not solve the log forging issue. And eventually I found it was a checkmarx issue.

More interesting findings here:
If I move the LogUtils class to another dependency project, Checkmarx always complains log forging issue no matter I instance it or not.

Can you share the `getUserInputText`methos? Can you add a language tag? Can you keep this question professional and not a bug report? — baruchiro, Jun 23 '20 at 05:28
Please also check this! https://stackoverflow.com/questions/62545939/how-to-fix-checkmarx-trust-boundary-violation — Yao Dong, Jun 24 '20 at 00:54

checkmarx cannot see the code in static method

0 Answers0

Linked