-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improve Log4j configuration examples #1483
Improve Log4j configuration examples #1483
Conversation
Apply suggestions on commit: 3aef8fd Co-authored-by: Volkan Yazıcı <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Awesome update. Thank you @ppkarwasz
I would strongly avoid
My 2 cents... 💰 |
I agree with @vy that the cheat-sheet should not promote the usage of unstructured layouts. No line-based layouts, no CRLF injection! Obviously this radically changes the content of the sheet. |
@vy and @ppkarwasz you are better experts than me in this subject so yes go ahead! |
Thanks for the tag but I took this content from the original injection prevention cheatsheet for Java which was brought in by @righettod at this commit: https://github.com/OWASP/CheatSheetSeries/blob/17817a84b9dc945e6b6279a5e9f9b321ad17a4b5/cheatsheets_to_convert/Injection_Prevention_Cheat_Sheet_in_Java.md You would have to ask @righettod where it came from to begin with :) |
I think we are ready for PR's @ppkarwasz - could you also fix the problem in https://github.com/OWASP/CheatSheetSeries/blob/17817a84b9dc945e6b6279a5e9f9b321ad17a4b5/cheatsheets_to_convert/Injection_Prevention_Cheat_Sheet_in_Java.md as well, pretty please? |
Sure, I'll be travelling for work in the next week, but after my return I'll update this PR to:
|
I converted this to draft since we want to make more changes as part of it |
hey @ppkarwasz do you have any updates to this? |
Sorry, I'll put it on my TODO list for this weekend. |
I update both the Log4j Core and Logback examples to use a JSON Layout. The Log4j Core uses a |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good for me
@jmanico if you can take a look :-) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a very positive improvement, thank you!
The current Log4j 2 configuration examples misses some sources of
CRLF
injection:%xEx
converter pattern is implicitly added unlessalwaysWriteExceptions
is set tofalse
.In general every part of a log event, with the exclusion of the timestamp, is susceptible to
CRLF
injection: thread names, logger names, etc. While it is very unlikely that a logger name will contain user data, it is a possibility that should not be excluded.This PR modifies the Log4j examples in the cheat sheet by:
CRLF
injection out of the box.