Description
In ApplicationApiHandler.java, the appId is extracted from the URL path and used directly in log statements without sanitization. An attacker can craft a URL with newline characters or ANSI escape sequences in the path segment, which would be injected into log files. This can be used to forge log entries, hide malicious activity, or exploit log viewing tools.
Location
platform-rest-api/src/main/java/org/flossware/platform/rest/ApplicationApiHandler.java
appId is extracted from URL path and passed directly to LOGGER.info(), LOGGER.warn(), etc.
Impact
- Log injection: attacker can insert fake log entries (e.g., simulating successful authentication)
- Log spoofing: can hide evidence of attacks by injecting misleading entries
- ANSI injection: if logs are viewed in a terminal, escape sequences can execute terminal commands
Suggested Fix
- Sanitize
appId by removing or replacing control characters (newlines, carriage returns, ANSI escape sequences)
- Validate
appId against a strict pattern (e.g., ^[a-zA-Z0-9._-]+$) before processing
- Use the
MaskingPatternLayout or a similar mechanism to strip control characters from log messages
Labels
bug, security
Description
In
ApplicationApiHandler.java, theappIdis extracted from the URL path and used directly in log statements without sanitization. An attacker can craft a URL with newline characters or ANSI escape sequences in the path segment, which would be injected into log files. This can be used to forge log entries, hide malicious activity, or exploit log viewing tools.Location
platform-rest-api/src/main/java/org/flossware/platform/rest/ApplicationApiHandler.javaappIdis extracted from URL path and passed directly toLOGGER.info(),LOGGER.warn(), etc.Impact
Suggested Fix
appIdby removing or replacing control characters (newlines, carriage returns, ANSI escape sequences)appIdagainst a strict pattern (e.g.,^[a-zA-Z0-9._-]+$) before processingMaskingPatternLayoutor a similar mechanism to strip control characters from log messagesLabels
bug, security