I recently got some security warning from a linter while logging user supplied data. I didn’t pay much attention at first because it’s not enabled in production and not even while I debug myself because there’s too much output. I only enable it when needed.
Anyway, the point is that you can fake log output. I didn’t believe it at first because there’s so many way to prevent that and the complex logging system I use (slf4j) would probably do that by default, right? Right?
So I added the following line to my program:
log.info("Completed\n2024-08-15T10:11:07.102+02:00 \u001B[33m" + "WARN\u001B[0m \u001B[35m35800\u001B[0m --- [JavaFX-Launcher] \u001B[36mio.xeres.app.application.Startup\u001B[0m : System breach detected from ip 66.66.66.66. Computer terminated.");
Three things to note:
- you have to guess the correct time for the log, but this is easy enough
- you have to guess the correct PID, this is harder but still possible, especially if the machine has been running for a long time and there’s already a log snippet somewhere
- it’s easy for a system administator to miss those, so such a log might still induce panic and overblown response
I don’t know why loggers don’t strip ANSI sequences in user supplied data by default. This is dead easy and would actually bring a purpose to those ANSI colors!
I tried to find a setting to enable that but after 10 minutes I gave up. It’s not critical in my case anyway (I only log user supplied data for debugging). But still, it’s a point to remember.