Merge pull request #3 from maytlead/fix/A1-3

Fix: A1-3
maytlead · Oct 25, 2023 · ae8ced0 · ae8ced0
2 parents c5cb68a + 5b7e7db
commit ae8ced0
Showing 1 changed file with 4 additions and 4 deletions.
diff --git a/app/routes/session.js b/app/routes/session.js
@@ -61,18 +61,18 @@ function SessionHandler(db) {
             const invalidPasswordErrorMessage = "Invalid password";
             if (err) {
                 if (err.noSuchUser) {
-                    console.log("Error: attempt to login with invalid user: ", userName);
+                    // console.log("Error: attempt to login with invalid user: ", userName);
 
                     // Fix for A1 - 3 Log Injection - encode/sanitize input for CRLF Injection
                     // that could result in log forging:
                     // - Step 1: Require a module that supports encoding
-                    // const ESAPI = require('node-esapi');
+                    const ESAPI = require('node-esapi');
                     // - Step 2: Encode the user input that will be logged in the correct context
                     // following are a few examples:
                     // console.log('Error: attempt to login with invalid user: %s',
                     //     ESAPI.encoder().encodeForHTML(userName));
-                    // console.log('Error: attempt to login with invalid user: %s',
-                    //     ESAPI.encoder().encodeForJavaScript(userName));
+                    console.log('Error: attempt to login with invalid user: %s',
+                        ESAPI.encoder().encodeForJavaScript(userName));
                     // console.log('Error: attempt to login with invalid user: %s',
                     //     ESAPI.encoder().encodeForURL(userName));
                     // or if you know that this is a CRLF vulnerability you can target this specifically as follows: