[SOLVED] Showing Severity issue in Checkmarx 9 report for for Log forging

Showing Severity issue in Checkmarx 9 report for for Log forging

This below is my code

private String getCorrelationId(HttpServletRequest request) {
    String correlationId = null;        
    String valuesList = request.getHeader(CORRELATION_ID_HEADER);       
    String valueLists = StringEscapeUtils.escapeJava(valuesList);
    if (valueLists != null && !valueLists.isEmpty()) {
        correlationId = valueLists;
    }
    return correlationId;
}



private void startTransaction(HttpServletRequest request, String serviceName, Object... args) {
    String correlationId = getCorrelationId(request);
    String correlationIds = StringEscapeUtils.escapeJava(correlationId);                        
    if (correlationIds == null || correlationIds.isEmpty()) {
        logger.info(LOG_SERVICE_TYPE + serviceName + args);
    } else {
        logger.error(LOG_SERVICE_TYPE , serviceName , correlationIds , args);
    }
}

Error Received

Method getCorrelationId gets user input from element getHeader. This element’s value flows through the code without being properly sanitized or validated, and is eventually used in writing an audit log in startTransaction. This may enable Log Forging.

I have gone through some google links but not able to understand. any help would be appreciated

Solution

Sorry on late answer on this..I have made many attempts to resolve this for checkmarks report here below.

HtmlUtils.htmlEscape -> not worked
StringEscapeUtils.escapeJava -> not worked

finally

String cleanCorrelationId = correlationId.replace('\t', '_').replace('\n', '_').replace('\r', '_');

and placed "cleanCorrelationId" in logging and LogForging issue resolved from checkmarks report.

Many thanks @Zvi Rosenfeld and @erickson