Skip to content
This repository was archived by the owner on Jan 22, 2024. It is now read-only.
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Binary file added share/src/lib/esapi-2.1.0.1.jar
Binary file not shown.
36 changes: 36 additions & 0 deletions share/src/main/java/org/apache/log4j/NewLinePatternLayout.java
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
package org.apache.log4j;

import org.apache.log4j.PatternLayout;
import org.apache.log4j.spi.LoggingEvent;
import org.owasp.esapi.ESAPI;
/**
* Custom Log Pattern Layout to neutralize logs
*
* MNT-20203 Improper Output Neutralization for Logs CWE ID 117
* Creator: aioobe (https://stackoverflow.com/questions/30912182/how-to-resolve-cwe-117-issue )
* LM_2019-01-30
* */

public class NewLinePatternLayout extends PatternLayout {

public NewLinePatternLayout() { }

public NewLinePatternLayout(String pattern) {
super(pattern);
}

public String format(LoggingEvent event) {
String original = super.format(event);

// ensure no CRLF injection into logs for forging records
String clean = original.replace('\n', '_').replace('\r', '_');
if (ESAPI.securityConfiguration().getLogEncodingRequired()) {
//Encode data for use in HTML using HTML entity encoding
clean = ESAPI.encoder().encodeForHTML(clean);
}
//insert new line for better readability of the logs
StringBuilder sb = new StringBuilder(clean + "\n");

return sb.toString();
}
}
Loading