Object;)V might be used to include CRLF characters into log messages

1.7k Views Asked by Vishnu Shinde At 26 April 2025 at 14:20

I am getting this sonar issue(Security - Potential CRLF Injection for logs) while logging request body parameter in code.

public ResponseEntity<SomeDto> someMethod(@RequestBody User user) {
 log.info("user received as --> {}", user);
}

How to resolve this issue? Thank you.

Original Q&A

There are 1 best solutions below

Andrey B. Panfilov On 02 January 2023 at 13:34

That is really annoying warning produced by sonarqube. The problem is sonarqube expects from you to write dumb code like:

public ResponseEntity<SomeDto> someMethod(@RequestBody User user) {
    log.info(
            "user received as --> {}", 
            String.valueOf(user)
                    .replace("\r", "\\r")
                    .replace("\n", "\\n")
    );
}

which is obviously unacceptable.

If your security team do believe CR/LF characters in logs is a real security problem the only correct approach is following:

disable corresponding sonarqube checks
properly setup logging subsystem, using one of the following ways:
1. take advantage of output encoding in logback - for example, write all logs in JSON:
  - https://www.baeldung.com/java-log-json-output
  - How to log in JSON with Logback?
2. use security-logging-logback library, here is an example of corresponding logback configuration

This use of org/slf4j/Logger.info(Ljava/lang/String;Ljava/lang/Object;)V might be used to include CRLF characters into log messages

There are 1 best solutions below

Related Questions in SPRING-BOOT

Related Questions in SONARQUBE

Related Questions in LOGBACK

Related Questions in SLF4J

Related Questions in CRLF-VULNERABILITY

Trending Questions

Popular # Hahtags

Popular Questions