New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Avoid log injection / log forging #1355
Comments
At the moment, there is no In the meantime, if you need it urgently, you can use Change the default pattern const log4js = require("log4js");
log4js.configure({
appenders: {
out: {
type: "stdout",
layout: {
type: "pattern",
pattern: "%[[%d] [%p] %c - %]%x{crlfFilter}", // default is %[[%d] [%p] %c - %]%m
tokens: {
crlfFilter: function (logEvent) {
let filteredData = logEvent.data.map((i) => {
if (typeof i.replace === "function") return i.replace(/\n/g, '\n> '); // add a > prefix
else return i;
});
return util.format(...filteredData);
},
},
},
},
},
categories: { default: { appenders: ["out"], level: "info" } },
});
var logger = log4js.getLogger();
logger.info("Some debug messages\n[2023-01-17T11:58:38.150] [INFO] default - Log forging");
|
Is this somehow also possible using a configuration file instead? For us, log4js is part of a vendor provided software where we cannot just add a token into an object based configuration but only have the option to pass the string path to a configuration file. But having a function is not not valid JSON... thus this line here will throw an error: Lines 50 to 55 in 26dcec6
If you have any other idea to support this with config file only, please let us know as we would like to protect ourselves as well against log forging. ;-) Apart from that: Ideally, this filtering would be easily available not only as standard mechanism (removing the crlf completely), but also with a replace function, just as log4j2 (see https://logging.apache.org/log4j/log4j-2.1/manual/layouts.html#Patterns - replace ) or logback (https://logback.qos.ch/manual/layouts.html#replace) provide. |
Is there a configuration to avoid log injection / log forging ?
This is a security problem describe here : https://owasp.org/www-community/attacks/Log_Injection
In java, with Log4j2 or Logback, it can be avoid with special pattern like
%encode
(or%enc
alias) or by definingconversionRule
(for logback).Look at detail solution here : https://github.com/augustd/owasp-security-logging/wiki/Log-Forging
The text was updated successfully, but these errors were encountered: