This use of org/slf4j/Logger.info(Ljava/lang/String;Ljava/lang/Object;)V might be used to include CRLF characters into log messages

Question

I am getting this sonar issue(Security - Potential CRLF Injection for logs) while logging request body parameter in code.

public ResponseEntity<SomeDto> someMethod(@RequestBody User user) {
 log.info("user received as --> {}", user);
}

How to resolve this issue? Thank you.

Please do something about the formatting, as I have no idea what you are posting. — M. Deinum, Jan 02 '23 at 12:45

score 0 · Answer 1 · answered Jan 02 '23 at 13:34

That is really annoying warning produced by sonarqube. The problem is sonarqube expects from you to write dumb code like:

public ResponseEntity<SomeDto> someMethod(@RequestBody User user) {
    log.info(
            "user received as --> {}", 
            String.valueOf(user)
                    .replace("\r", "\\r")
                    .replace("\n", "\\n")
    );
}

which is obviously unacceptable.

If your security team do believe CR/LF characters in logs is a real security problem the only correct approach is following:

disable corresponding sonarqube checks
properly setup logging subsystem, using one of the following ways:
1. take advantage of output encoding in logback - for example, write all logs in JSON:
  - https://www.baeldung.com/java-log-json-output
  - How to log in JSON with Logback?
2. use security-logging-logback library, here is an example of corresponding logback configuration

This use of org/slf4j/Logger.info(Ljava/lang/String;Ljava/lang/Object;)V might be used to include CRLF characters into log messages

1 Answers1