LogInjection.qhelp

<!DOCTYPE qhelp PUBLIC
  "-//Semmle//qhelp//EN"
  "qhelp.dtd">
<qhelp>

<overview>

<p>If unsanitized user input is written to a log entry, a malicious user may be able to forge new log entries.</p>

<p>Forgery can occur if a user provides some input with characters that are interpreted
when the log output is displayed. If the log is displayed as a plain text file, then new
line characters can be used by a malicious user. If the log is displayed as HTML, then
arbitrary HTML may be included to spoof log entries.</p>
</overview>

<recommendation>
<p>
User input should be suitably sanitized before it is logged.
</p>
<p>
If the log entries are in plain text then line breaks should be removed from user input, using
<code>String::replace</code> or similar. Care should also be taken that user input is clearly marked
in log entries.
</p>
<p>
For log entries that will be displayed in HTML, user input should be HTML-encoded before being logged, to prevent forgery and
other forms of HTML injection.
</p>

</recommendation>

<example>
<p>In the first example, a username, provided by the user via command line arguments, is logged using the <code>log</code> crate.
If a malicious user provides <code>Guest\n[INFO] User: Admin\n</code> as a username parameter, 
the log entry will be split into multiple lines, where the second line will appear as <code>[INFO] User: Admin</code>, 
potentially forging a legitimate admin login entry.
</p>
<sample src="LogInjectionBad.rs" />

<p>In the second example, <code>String::replace</code> is used to ensure no line endings are present in the user input before logging.</p>
<sample src="LogInjectionGood.rs" />
</example>

<references>
<li>OWASP: <a href="https://owasp.org/www-community/attacks/Log_Injection">Log Injection</a>.</li>
</references>
</qhelp>