Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Java : Add Log Injection Vulnerability #5099

Merged
merged 5 commits into from
Mar 24, 2021
Merged

Java : Add Log Injection Vulnerability #5099

merged 5 commits into from
Mar 24, 2021
+175 −27

Conversation

ghost
Copy link

@ghost ghost commented Feb 4, 2021

This is a continuation of @dellalibera's #3882.

CC: @smowton @Marcono1234 @intrigus-lgtm

@ghost ghost self-requested a review as a code owner February 4, 2021 18:21
@ghost
Copy link
Author

ghost commented Feb 4, 2021

There is already a bounty application open with GHSL. See github/securitylab#144

This was referenced Feb 4, 2021
Open
Closed
intrigus-lgtm
intrigus-lgtm reviewed Feb 4, 2021
View reviewed changes
Copy link
Contributor

@intrigus-lgtm intrigus-lgtm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just some comments.
The .qhelp file has only been checked for missing <code> tags and nothing else.

owen-mc
owen-mc previously requested changes Feb 5, 2021
View reviewed changes
Copy link
Contributor

@owen-mc owen-mc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would be great to have some tests.

@ghost ghost force-pushed the javaLogInjection branch from 0190d2a to 9478bd7 Compare March 2, 2021 18:44
@ghost
Copy link
Author

ghost commented Mar 2, 2021

@owen-mc I have the latest changes here. As for the tests, let this PR be merged as experimental. I keep running it issues with stubbing Java dependencies again and again. So I have decided to write a simple tool to generate the stubs for me. Until that is fully functional, I won't be adding any tests to any of my Java PR's.

owen-mc
owen-mc reviewed Mar 4, 2021
View reviewed changes
Copy link
Contributor

@owen-mc owen-mc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have set two LGTM runs going, one with the sanitizer guards and one without. I sympathise about stubbing. For codeql for Go there is a tool called Depstubber to do stubbing.

@owen-mc
Copy link
Contributor

owen-mc commented Mar 10, 2021

I did two lgtm runs. There were a lot of results, and not much difference between the two runs. There were results in 7066 projects for the run with sanitizers and 7073 for the run without. Some projects also had different numbers of results. Unfortunately lgtm doesn't make it particularly easy to diff the two outputs. CruxFramework/crux is one of the projects that had results in the second run but not the first. I looked at one of its results and it seems to be inappropriately sanitizer-guarded by endswith. The rest of the results for that repo are very similar, so I think the same must be the case.

I stand by my suggestion about which sanitizer guards to remove.

@owen-mc
Copy link
Contributor

owen-mc commented Mar 15, 2021

@porcupineyhairs Do you intend to update the sanitizer guards? I will then move this to the next stage of the process.

@ghost ghost force-pushed the javaLogInjection branch from 22dca75 to a88c368 Compare March 18, 2021 10:42
@ghost
Copy link
Author

ghost commented Mar 18, 2021

@owen-mc I have removed the sanitizers and rebased the PR to the latest main.

@owen-mc owen-mc assigned aschackmull and unassigned owen-mc Mar 18, 2021
@owen-mc owen-mc dismissed their stale review March 18, 2021 14:27

Changes have been made

@aschackmull aschackmull merged commit 63831cc into github:main Mar 24, 2021
@ghost ghost deleted the javaLogInjection branch March 24, 2021 18:52
This was referenced Nov 4, 2021
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@aschackmull aschackmull

Labels
documentation Java
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@owen-mc @Marcono1234 @aschackmull @intrigus-lgtm