Add support for log encoding

Question

Add support for log encoding

niceone548 opened this issue 4 years ago · comments

It would be a nice if we had the option to encode / escape our log output.
Something like:
logger.atInfo().withCause(exception).encode().log("Log message with: %s", argument);
logger.atInfo().withCause(exception)..log("Log message with: %s", argument).encode();
logger.atInfo().withCause(exception).logEncoded("Log message with: %s", argument);
This way developers would become more security aware, and log forging would become allot harder overall.
Owasp already has an encoder for this:
https://mvnrepository.com/artifact/org.owasp.encoder/encoder/1.2.2
If you don't know what log forging is give this a read:
http://www.jtmelton.com/2010/09/21/preventing-log-forging-in-java/

David Beaumont · Answer 1 · Thu May 07 2020 23:23:30 GMT+0800 (China Standard Time)

Solving an "escaping" problem is not something you can do by changing the Flogger API. Flogger doesn't know or care where the logs go. The right place to care about output is the logger backend. The backend might not even log to a text file at all, making "encoding" an entirely meaningless concept in those situations. On an API note, you definitely wouldn't want to leave it up to random logging API users to know what "encoding" means and understand if/when they have to use it. If you are showing log files to users via web pages, you *must* handle escaping as you would for any untrusted text input (and you do that somewhere other than the logger API). Feel free to implement a logger backend or handler for JDK logger or Log4J to encode log records as HTML or whatever you want. The data is all there. HTH, David

…

On Thu, 7 May 2020 at 16:36, niceone548 ***@***.***> wrote: It would be a nice if we had the option to encode / escape our log output. Something like: logger.atInfo().withCause(exception).encode().log("Log message with: %s", argument); logger.atInfo().withCause(exception)..log("Log message with: %s", argument).encode(); logger.atInfo().withCause(exception).logEncoded("Log message with: %s", argument); This way developers would become more security aware, and log forging would become allot harder overall. Owasp already has an encoder for this: https://mvnrepository.com/artifact/org.owasp.encoder/encoder/1.2.2 If you don't know what log forging is give this a read: http://www.jtmelton.com/2010/09/21/preventing-log-forging-in-java/ — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#162>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAGTWYQN6TZRLKNTS3EC3GTRQLBQBANCNFSM4M3MHHNQ> .

-- David Beaumont :: Îñţérñåţîöñåļîžåţîờñ Libraries :: Google Google Switzerland GmbH., Brandschenkestrasse 110, CH-8002, Zürich - Switzerland