6

After searching for a long time, I couldn't find information about how Serilog deals with the sanitization of log feeds. A.k.a. the battle against "log injection" or "log forging" (see https://owasp.org/www-community/attacks/Log_Injection). All the searches point to "dependency injection" and it is a totally different topic :)

I assume that by using Serilog with string parameters (https://github.com/serilog/serilog/wiki/Writing-Log-Events) the possible dangerous content is sanitized. But, are they?

Does anyone know if this is done and should I be worried about it?

And what if someone uses Serilog without string parameters and, instead, uses Serilog (against instructions) with string concatenation?

Ruben Bartelink
  • 59,778
  • 26
  • 187
  • 249
Petteri Pöyhtäri
  • 61
  • 2

1 Answers1

0

If configured mindfully, Serilog completely overcomes this issue.

However, this is formatter/sink-specific and relies on using Serilog as a structured logger (writing to unstructured output streams can definitely thwart this).

If you take the example from the OWASP article:

    var val = request["val"];
    try {
        int value = Int32.Parse(val);
    }
    catch (Exception ex) {
        log.Information("Failed to parse val {Val}");
    }

Then the resulting Serilog event in CLEF format will look like:

{"@t":"...","@mt":"Failed to parse val {Val}","Val":"twenty-one"}

Imagining the "bad guy" scenario:

if an attacker submits the string “twenty-one%0a%0aINFO:+User+logged+out%3dbadguy” ...

Serilog will produce a structured event like:

{"@t":"...","@mt":"Failed to parse val {Val}","Val":"twenty-one\n\nINFO: User logged out=badguy"}

Note that the injected "event" is completely within the Val field and can't be mistaken for a "real" event.

This holds even if the injected event is made to look like JSON, as Serilog's JSON formatter escapes JSON values correctly, and so the fake event will still be entirely within the "Val" field.

Even when misusing the Serilog API and not correctly recording Val as structured data, injected content will still only ever appear within the message field or whatever field it's placed into, and can't masquerade as an entirely separate event.

Just to stress it again, you'll need to check how your formatter and sink behave, to be sure. I'm talking about the formatters in Serilog.Formatting.Compact here.

Nicholas Blumhardt
  • 30,271
  • 4
  • 90
  • 101