• Home
• org.sonarsource.dotnet
• sonar-vbnet-plugin
• 10.6.0.109712
• source code
• S4792.html

×

Project download

Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $

You can buy this project and download/modify it how often you want.

org.sonar.plugins.vbnet.S4792.html Maven / Gradle / Ivy

This rule is deprecated, and will eventually be removed.
Configuring loggers is security-sensitive. It has led in the past to the following vulnerabilities:

  
 CVE-2018-0285 
  
 CVE-2000-1127 
  
 CVE-2017-15113 
  
 CVE-2015-5742 

Logs are useful before, during and after a security incident.

  
 Attackers will most of the time start their nefarious work by probing the system for vulnerabilities. Monitoring this activity and stopping it
  is the first step to prevent an attack from ever happening. 
  
 In case of a successful attack, logs should contain enough information to understand what damage an attacker may have inflicted. 

Logs are also a target for attackers because they might contain sensitive information. Configuring loggers has an impact on the type of information
logged and how they are logged.
This rule flags for review code that initiates loggers configuration. The goal is to guide security code reviews.
Ask Yourself Whether

  
 unauthorized users might have access to the logs, either because they are stored in an insecure location or because the application gives
  access to them. 
  
 the logs contain sensitive information on a production server. This can happen when the logger is in debug mode. 
  
 the log can grow without limit. This can happen when additional information is written into logs every time a user performs an action and the
  user can perform the action as many times as he/she wants. 
  
 the logs do not contain enough information to understand the damage an attacker might have inflicted. The loggers mode (info, warn, error)
  might filter out important information. They might not print contextual information like the precise time of events or the server hostname. 
  
 the logs are only stored locally instead of being backuped or replicated. 

There is a risk if you answered yes to any of those questions.
Recommended Secure Coding Practices

  
 Check that your production deployment doesn’t have its loggers in "debug" mode as it might write sensitive information in logs. 
  
 Production logs should be stored in a secure location which is only accessible to system administrators. 
  
 Configure the loggers to display all warnings, info and error messages. Write relevant information such as the precise time of events and the
  hostname. 
  
 Choose log format which is easy to parse and process automatically. It is important to process logs rapidly in case of an attack so that the
  impact is known and limited. 
  
 Check that the permissions of the log files are correct. If you index the logs in some other service, make sure that the transfer and the
  service are secure too. 
  
 Add limits to the size of the logs and make sure that no user can fill the disk with logs. This can happen even when the user does not control
  the logged information. An attacker could just repeat a logged action many times. 

Remember that configuring loggers properly doesn’t make them bullet-proof. Here is a list of recommendations explaining on how to use your
logs:

  
 Don’t log any sensitive information. This obviously includes passwords and credit card numbers but also any personal information such as user
  names, locations, etc…​ Usually any information which is protected by law is good candidate for removal. 
  
 Sanitize all user inputs before writing them in the logs. This includes checking its size, content, encoding, syntax, etc…​ As for any user
  input, validate using whitelists whenever possible. Enabling users to write what they want in your logs can have many impacts. It could for example
  use all your storage space or compromise your log indexing service. 
  
 Log enough information to monitor suspicious activities and evaluate the impact an attacker might have on your systems. Register events such as
  failed logins, successful logins, server side input validation failures, access denials and any important transaction. 
  
 Monitor the logs for any suspicious activity. 

Sensitive Code Example
.Net Core: configure programmatically
Imports System
Imports System.Collections
Imports System.Collections.Generic
Imports Microsoft.AspNetCore
Imports Microsoft.AspNetCore.Builder
Imports Microsoft.AspNetCore.Hosting
Imports Microsoft.Extensions.Configuration
Imports Microsoft.Extensions.DependencyInjection
Imports Microsoft.Extensions.Logging
Imports Microsoft.Extensions.Options

Namespace MvcApp

    Public Class ProgramLogging

        Public Shared Function CreateWebHostBuilder(args As String()) As IWebHostBuilder

            WebHost.CreateDefaultBuilder(args) _
                .ConfigureLogging(Function(hostingContext, Logging) ' Sensitive
                                      ' ...
                                  End Function) _
            .UseStartup(Of StartupLogging)()

            '...
        End Function
    End Class


    Public Class StartupLogging

        Public Sub ConfigureServices(services As IServiceCollection)

            services.AddLogging(Function(logging) ' Sensitive
                                    '...
                                End Function)
        End Sub

        Public Sub Configure(app As IApplicationBuilder, env As IHostingEnvironment, loggerFactory As ILoggerFactory)

            Dim config As IConfiguration = Nothing
            Dim level As LogLevel = LogLevel.Critical
            Dim includeScopes As Boolean = False
            Dim filter As Func(Of String, Microsoft.Extensions.Logging.LogLevel, Boolean) = Nothing
            Dim consoleSettings As Microsoft.Extensions.Logging.Console.IConsoleLoggerSettings = Nothing
            Dim azureSettings As Microsoft.Extensions.Logging.AzureAppServices.AzureAppServicesDiagnosticsSettings = Nothing
            Dim eventLogSettings As Microsoft.Extensions.Logging.EventLog.EventLogSettings = Nothing

            ' An issue will be raised for each call to an ILoggerFactory extension methods adding loggers.
            loggerFactory.AddAzureWebAppDiagnostics() ' Sensitive
            loggerFactory.AddAzureWebAppDiagnostics(azureSettings) ' Sensitive
            loggerFactory.AddConsole() ' Sensitive
            loggerFactory.AddConsole(level) ' Sensitive
            loggerFactory.AddConsole(level, includeScopes) ' Sensitive
            loggerFactory.AddConsole(filter) ' Sensitive
            loggerFactory.AddConsole(filter, includeScopes) ' Sensitive
            loggerFactory.AddConsole(config) ' Sensitive
            loggerFactory.AddConsole(consoleSettings) ' Sensitive
            loggerFactory.AddDebug() ' Sensitive
            loggerFactory.AddDebug(level) ' Sensitive
            loggerFactory.AddDebug(filter) ' Sensitive
            loggerFactory.AddEventLog() ' Sensitive
            loggerFactory.AddEventLog(eventLogSettings) ' Sensitive
            loggerFactory.AddEventLog(level) ' Sensitive
            ' Only available for NET Standard 2.0 and above
            'loggerFactory.AddEventSourceLogger() ' Sensitive

            Dim providers As IEnumerable(Of ILoggerProvider) = Nothing
            Dim filterOptions1 As LoggerFilterOptions = Nothing
            Dim filterOptions2 As IOptionsMonitor(Of LoggerFilterOptions) = Nothing

            Dim factory As LoggerFactory = New LoggerFactory() ' Sensitive
            factory = New LoggerFactory(providers) ' Sensitive
            factory = New LoggerFactory(providers, filterOptions1) ' Sensitive
            factory = New LoggerFactory(providers, filterOptions2) ' Sensitive
        End Sub
    End Class
End Namespace

Log4Net
Imports System
Imports System.IO
Imports System.Xml
Imports log4net.Appender
Imports log4net.Config
Imports log4net.Repository

Namespace Logging
    Class Log4netLogging
        Private Sub Foo(ByVal repository As ILoggerRepository, ByVal element As XmlElement, ByVal configFile As FileInfo, ByVal configUri As Uri, ByVal configStream As Stream, ByVal appender As IAppender, ParamArray appenders As IAppender())
            log4net.Config.XmlConfigurator.Configure(repository) ' Sensitive
            log4net.Config.XmlConfigurator.Configure(repository, element) ' Sensitive
            log4net.Config.XmlConfigurator.Configure(repository, configFile) ' Sensitive
            log4net.Config.XmlConfigurator.Configure(repository, configUri) ' Sensitive
            log4net.Config.XmlConfigurator.Configure(repository, configStream) ' Sensitive
            log4net.Config.XmlConfigurator.ConfigureAndWatch(repository, configFile) ' Sensitive

            log4net.Config.DOMConfigurator.Configure() ' Sensitive
            log4net.Config.DOMConfigurator.Configure(repository) ' Sensitive
            log4net.Config.DOMConfigurator.Configure(element) ' Sensitive
            log4net.Config.DOMConfigurator.Configure(repository, element) ' Sensitive
            log4net.Config.DOMConfigurator.Configure(configFile) ' Sensitive
            log4net.Config.DOMConfigurator.Configure(repository, configFile) ' Sensitive
            log4net.Config.DOMConfigurator.Configure(configStream) ' Sensitive
            log4net.Config.DOMConfigurator.Configure(repository, configStream) ' Sensitive
            log4net.Config.DOMConfigurator.ConfigureAndWatch(configFile) ' Sensitive
            log4net.Config.DOMConfigurator.ConfigureAndWatch(repository, configFile) ' Sensitive

            log4net.Config.BasicConfigurator.Configure() ' Sensitive
            log4net.Config.BasicConfigurator.Configure(appender) ' Sensitive
            log4net.Config.BasicConfigurator.Configure(appenders) ' Sensitive
            log4net.Config.BasicConfigurator.Configure(repository) ' Sensitive
            log4net.Config.BasicConfigurator.Configure(repository, appender) ' Sensitive
            log4net.Config.BasicConfigurator.Configure(repository, appenders) ' Sensitive
        End Sub
    End Class
End Namespace

NLog: configure programmatically
Namespace Logging
    Class NLogLogging
        Private Sub Foo(ByVal config As NLog.Config.LoggingConfiguration)
            NLog.LogManager.Configuration = config ' Sensitive
        End Sub
    End Class
End Namespace

Serilog
Namespace Logging
    Class SerilogLogging
        Private Sub Foo()
            Dim config As Serilog.LoggerConfiguration = New Serilog.LoggerConfiguration() ' Sensitive
        End Sub
    End Class
End Namespace

See

  
 OWASP - Top 10 2021 Category A9 - Security Logging and
  Monitoring Failures 
  
 OWASP - Top 10 2017 Category A3 - Sensitive Data
  Exposure 
  
 OWASP - Top 10 2017 Category A10 -
  Insufficient Logging & Monitoring 
  
 CWE - CWE-117 - Improper Output Neutralization for Logs 
  
 CWE - CWE-532 - Information Exposure Through Log Files