CRLF Injection vulnerability while using slf4j LOGGER in Veracode (CWE 117)

11.3k Views Asked by Amrit Gopal Singh At 26 April 2025 at 14:40

It's a slf4j logger and i have been trying to log error with 2 messages parameters.

catch(ExecutionException executionException) {

LOGGER.error("TimeoutException caught , Error: " + SSG_TIMEOUT.getErrorText() 
       + ". Message: " +executionException.getMessage());    
}

SSG_TIMEOUT.getErrorText() results to a String "TimeOut error encountered"

Things i used

Manual sanitize code

return entry.replace("\t", "\\t").replace("\b", "\\b").replace("\n", 
    "\\n").replace("\r", "\\r").replace("\f", "\\f").replace("\u0000", 
    "\\0").replace("\\a", "\\a").replace("\\v", "\\v").replace("\\e", 
    "\\e").replaceAll("\\p{Cntrl}", "").replace("'", "\\'").replace("\"", 
    "\\\"").replace("\\", "\\\\");

StringEscapeUtils.escapeJson(String errorMessage)
String builder to append string + escapeJson(StringBuilder.toString())

Still i see the issue in my veracode report.

Any Suggestions?

Original Q&A

There are 1 best solutions below

Amrit Gopal Singh On 08 December 2020 at 06:11

First of all first 2 methods of sanitization are correct, its just that there are not supported by Veracode.

Before using a method one should visit About Supported Cleansing Functions in https://help.veracode.com/r/review_cleansers

So, for the above problem StringUtils.normalizeSpace() worked. "StringUtils.escapeJava" could also be used but it seems deprecated

Soln:

    catch(ExecutionException executionException) {

    LOGGER.error("TimeoutException caught , Error: " + 
    StringUtils.normalizeSpace(SSG_TIMEOUT.getErrorText() 
    }

CRLF Injection vulnerability while using slf4j LOGGER in Veracode (CWE 117)

There are 1 best solutions below

Related Questions in JAVA

Related Questions in SECURITY

Related Questions in VERACODE

Related Questions in CRLF-VULNERABILITY

Trending Questions

Popular # Hahtags

Popular Questions