0

We have a Spring project using Logback with SLF4J. I have been working on building Log Forging prevention in our project. I have used owasp.security-logging-logback to replace CRLF characters in the log.

pattern: %d ${LOG_LEVEL_PATTERN:-%5p} ${PID:- } --- [%15.15t] %-40.40logger{39} : %crlf(%m%ex) %n

Along with this we also want to add XSS protection by escaping the HTML that is present in the messages being logged. I have not been able to find any method to introduce escape HTML in the pattern.

log4j has the %encode{} conversion pattern. Is there something similar in SLF4J? If not, can you guide me on how to build a solution for this?

Adnan Arif Sait
  • 111
  • 7
  • I don't think this is a good idea. Unnecessarily-escaped/encoded content introduces more pain downstream for _legitimate consumers_ of your content than it would prevent from unescaped log files. Do you have a solid _business case_ for making such a change? – Dai Aug 04 '21 at 05:25
  • "to replace CRLF characters in the log." - this seems just as silly. `\r\n` does not need escaping for safety in almost every circumstance where log files are used - I think you're making needless work for yourself that you'll only need to undo in a few months time... – Dai Aug 04 '21 at 05:27
  • @Dai, Log Forging was flagged as a vulnerability during the Static Analysis of the code using Fortify. This was the initial motivation for revisiting the logging and making it more secure. Since we have taken this up, we were thinking of making it as secure as possible. These logs are read by a very selective group of developers who are familiar with every aspect of the project, so we feel that even the encoded content will not hamper the usage of log too much. – Adnan Arif Sait Aug 04 '21 at 05:52

1 Answers1

0

I wasn't able to find an existing library or tool that could integrate with logback and encode the HTML characters. So I created a custom logback MessageConverter.

import org.apache.commons.text.StringEscapeUtils;
import ch.qos.logback.classic.pattern.MessageConverter;

public class HtmlContentEncoderMessageConverter extends MessageConverter {
    @Override
    public String convert(ILoggingEvent event) {
        return StringEscapeUtils.escapeHtml4(super.convert(event));
    }
}

I added this converter to the logback configuration in logback-spring.xml,

<conversionRule conversionWord="htmlEncode" converterClass="<path_to_class>.HtmlContentEncoderMessageConverter">

And finally used this conversionWord in the logging pattern in application.properties,

logging.pattern.console: %d ${LOG_LEVEL_PATTERN:-5%p} ... %crlf(%htmlEncode{%m%ex})

Logs without message converters,

This is a
test quote with HTML
< testTag >.

Logs with the crlf and htmlEncode message converters,

This is a_test quote with HTML_&lt testTag &gt

Other tried methods,

  • I tried using the OWASP Security Logging Logback, but the OWASP logging took precedence over logback, meaning I would have to replace all logging functions with OWASP Security logging functions. This required too much work, so this method was droppped.
Adnan Arif Sait
  • 111
  • 7