I have a CWE 117 issue reported in my Product.
CWE 117 issue is that the software does not properly sanitize or incorrectly sanitizes output that is written to logs and one possible solution i got was to add the following while logging.
String clean = args[1].replace('\n', '_').replace('\r', '_');
log.info(clean);
My question is whether there is any central place in log4j where a single change can solve this issue?
It is the
Layout
that is responsible for serializing the log message, and it is here the newline-transformation code belongs.I suggest creating your own (trivial) subclass of
PatternLayout
that does the transformation. This has also been discussed on the Log4j mailing list here. Here's a slightly modified version of the solution suggested in that thread:Related question (with a potentially useful answer):