From 5b7e7dbb7012b831e18abf0527189ba033110a5a Mon Sep 17 00:00:00 2001 From: maytlead Date: Tue, 24 Oct 2023 19:00:58 +0200 Subject: [PATCH] Fix: A1-3 - Remove direct use user input in logging - Log out the encoded logging context --- app/routes/session.js | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/app/routes/session.js b/app/routes/session.js index 3810fb980..01902b89e 100644 --- a/app/routes/session.js +++ b/app/routes/session.js @@ -61,18 +61,18 @@ function SessionHandler(db) { const invalidPasswordErrorMessage = "Invalid password"; if (err) { if (err.noSuchUser) { - console.log("Error: attempt to login with invalid user: ", userName); + // console.log("Error: attempt to login with invalid user: ", userName); // Fix for A1 - 3 Log Injection - encode/sanitize input for CRLF Injection // that could result in log forging: // - Step 1: Require a module that supports encoding - // const ESAPI = require('node-esapi'); + const ESAPI = require('node-esapi'); // - Step 2: Encode the user input that will be logged in the correct context // following are a few examples: // console.log('Error: attempt to login with invalid user: %s', // ESAPI.encoder().encodeForHTML(userName)); - // console.log('Error: attempt to login with invalid user: %s', - // ESAPI.encoder().encodeForJavaScript(userName)); + console.log('Error: attempt to login with invalid user: %s', + ESAPI.encoder().encodeForJavaScript(userName)); // console.log('Error: attempt to login with invalid user: %s', // ESAPI.encoder().encodeForURL(userName)); // or if you know that this is a CRLF vulnerability you can target this specifically as follows: