[Java] CWE-117: CodeQL query to detect Log Injection #144
Description
CVE ID(s)
List the CVE ID(s) associated with this vulnerability. GitHub will automatically link CVE IDs to the GitHub Advisory Database.
- There is no CVE for this.
Report
Log Injection query is available in c# query, javascript (experimental) query but it is not available in java query.
I created a query to detect a log injection vulnerability in java code.
Link to the PR: PR github/codeql#3882
- Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc). We would love to have you spread the word about the good work you are doing
Result(s)
The query was able to detect a potential Log Forging (now fixed) in the generator-jhipster project.
This is the PR fixing the potential Log Forging: prevent potential log forging, and here the fixed code https://github.com/jhipster/generator-jhipster/pull/11708/files.
To test the query, I used the vulnerable version of that file. I created a project using jhipster (Creating an application), and then I run the query on the project already created; the query was able to detect the vulnerability mentioned in the PR (once I created the project, before generating the database, I replaced the fixed code, with its previous version).
There is also a CVE (another project): CVE-2020-4072: Log Forging in generator-jhipster-kotlin, that mentions the equivalent java file of the generator-jhipter project: commit: prevent log forging when doing password reset init request.