-
Notifications
You must be signed in to change notification settings - Fork 2k
Expand file tree
/
Copy pathLogForging.cs
More file actions
63 lines (55 loc) · 1.84 KB
/
LogForging.cs
File metadata and controls
63 lines (55 loc) · 1.84 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
using System;
using System.Diagnostics;
using System.IO;
using System.Net;
using System.Web;
using Microsoft.Extensions.Logging;
class ILogger
{
public void Warn(string message) { }
}
public class LogForgingHandler : IHttpHandler
{
public void ProcessRequest(HttpContext ctx)
{
String username = ctx.Request.QueryString["username"]; // $ Source
ILogger logger = new ILogger();
// BAD: Logged as-is
logger.Warn(username + " logged in"); // $ Alert
// GOOD: New-lines removed
logger.Warn(username.Replace(Environment.NewLine, "") + " logged in");
// GOOD: New-lines removed
logger.Warn(username.Replace(Environment.NewLine, "", StringComparison.InvariantCultureIgnoreCase) + " logged in");
// GOOD: New-lines replaced
logger.Warn(username.ReplaceLineEndings("") + " logged in");
// GOOD: Html encoded
logger.Warn(WebUtility.HtmlEncode(username) + " logged in");
// BAD: Logged as-is to TraceSource
new TraceSource("Test").TraceInformation(username + " logged in"); // $ Alert
Microsoft.Extensions.Logging.ILogger logger2 = null;
// BAD: Logged as-is
logger2.LogError(username); // $ Alert
// GOOD: uses safe extension method that sanitizes internally
logger.WarnSafe(username + " logged in");
// BAD: uses unsafe extension method that does not sanitize
logger.WarnUnsafe(username + " logged in");
}
public bool IsReusable
{
get
{
return true;
}
}
}
static class LoggerExtensions
{
public static void WarnSafe(this ILogger logger, string message)
{
logger.Warn(message.Replace(Environment.NewLine, ""));
}
public static void WarnUnsafe(this ILogger logger, string message)
{
logger.Warn(message); // $ Alert
}
}