问题
I am using Log4net for logging into my web api application. I am using below code to log warnings and error in database.
public async Task<int> ExecuteNonQuery(string procedureName,params SqlParameter[] parameters)
{
try
{
this.logger.DebugFormat("{0} stating call",procedureName);
......
......
......
}
further code
When i ran fortify scan it gives me log forging issue. Is there any idea how we can resolve this issue. I tried below code but didn't work
procedureName = Regex.Replace(procedureName, "[^ A - Za - z0 - 9 $]", string.Empty);
回答1:
Fortify is guarding against Log Forging/Log Injection, where a malicious user could get unescaped input into your system in such a way that it's written to your log file. The idea would be to add in mis-leading log entries that would throw automated or manual intrusion detection or intrusion investigation attempts off the scent of the malicious user and what they are really trying to accomplish.
In order to combat this, one must carefully control which portions of user input end up being used in a log file. How to do this varies by how strict you are. You could simply escape all user input in your log, stripping out things like newlines or control characters. To be extremely strict, one removes all user input from their logging statements and uses a set of pre-developed events that form a "whitelist" of events that can be logged in the system.
In your case, it sounds like Fortify isn't smart enough to know if procedureName comes from user input or not, so it flags your logging statement as potentially containing dynamic/user content. If you are positive that you know where procedureName comes from, then you can ignore this as a false positive. Otherwise, you can use one of the mitigation techniques I've listed to make your logging statement more secure.
回答2:
The answer from Seafish might be a bit hard to dissect. For that I am going to try and answer this.
As Fortify will explain, the Log Forging issue is because Fortify believes you are using a value/property that came directly from a user. In such a case, the user, if they were a bad actor, might have set that value to confuse your logs which messes with your ability to perform a proper audit.
The resolutions are usually one or multiple of the following:
- Stripping out newlines or control characters from all properties or variables coming from a user before it hits your logs.
- Remove all User input from being put into the logs, and instead using predefined messages to output.
- Along with the first method, you can wrap all user defined values within certain markers to identify a true log entry.
The last suggestion is more of something that Fortify will likely not understand, which is why I recommended doing so in combination with the first solution. Just like using double quotes to quote someone, you can use a series of brackets around values in logs to help make it harder to forge, as well as even encrypting the Date/time thats on each line and using that to start the line so you can confirm that the start of a line is where you have a properly decrypted date/time that matches the date/time in the output message.
来源:https://stackoverflow.com/questions/47771586/how-to-fix-log-forging-in-c-sharp