Log Forging with types different than string.

[WSkwieVolue]

codeql/csharp/ql/src/Security Features/CWE-117/LogForging.ql

Line 1 in bc93a22

/**

Hello :),

I would like to know why does this rule apply for parameters with types different than string. For example I have received an alert with high severity about a DateTime variable. It is formatted like this:

{validFor:yyyy-MM-dd}

So there is no way of a malicious user to forge anything this way. I do not see any other way to sanitize that input other than formatting it.

Could you please explain this to me?

[edoardopirovano]

Greetings, many thanks for raising this with us. It does indeed sound like there is an opportunity to reduce false positives on this query by enhancing our analysis to consider the types of variables flowing into the logs. I'll raise this with our C# analysis team so they can consider whether to prioritize making this change.

[WSkwieVolue]

Thank You :)

[michaelnebel]

@WSkwieVolue : Could you provide a small piece of example code? Is the alert found in some ASP.NET code (you mention parameters)?

[WSkwieVolue]

In one of my controllers there is a endpoint method that takes a datetime as a parameter. That parameter is later passed to inner methods. The CodeQL sees that this datetime is used directly to format a log line in the inner methods.

I cannot share my exact code but it is something similar to this:

[HttpGet]
public async Task<ActionResult> GetSomething(DateTime date)
{
    SomeMethod(date);
}

private SomeMethod(DateTime date)
{
   (...)
    _Logger.Error($"Could not do stuff for selected date {date:yyyy-MM-dd}")
}

[michaelnebel]

Great - thank you! I expected something along those lines :-)