Rust: Implement a new query for Log Injection #20221
Conversation
Co-authored-by: geoffw0 <40627776+geoffw0@users.noreply.github.com>
Co-authored-by: geoffw0 <40627776+geoffw0@users.noreply.github.com>
|
QHelp previews: rust/ql/src/queries/security/CWE-117/LogInjection.qhelpLog injectionIf unsanitized user input is written to a log entry, a malicious user may be able to forge new log entries. Forgery can occur if a user provides some input with characters that are interpreted when the log output is displayed. If the log is displayed as a plain text file, then new line characters can be used by a malicious user. If the log is displayed as HTML, then arbitrary HTML may be included to spoof log entries. RecommendationUser input should be suitably sanitized before it is logged. If the log entries are in plain text, then line breaks should be removed from user input using For log entries that will be displayed in HTML, user input should be HTML-encoded before being logged, to prevent forgery and other forms of HTML injection. ExampleIn the first example, a username, provided by the user via command line arguments, is logged using the use std::env;
use log::info;
fn main() {
env_logger::init();
// Get username from command line arguments
let args: Vec<String> = env::args().collect();
let username = args.get(1).unwrap_or(&String::from("Guest")).clone();
// BAD: log message constructed with unsanitized user input
info!("User login attempt: {}", username);
}In the second example, use std::env;
use log::info;
fn sanitize_for_logging(input: &str) -> String {
// Remove newlines and carriage returns to prevent log injection
input.replace('\n', "").replace('\r', "")
}
fn main() {
env_logger::init();
// Get username from command line arguments
let args: Vec<String> = env::args().collect();
let username = args.get(1).unwrap_or(&String::from("Guest")).clone();
// GOOD: log message constructed with sanitized user input
let sanitized_username = sanitize_for_logging(username.as_str());
info!("User login attempt: {}", sanitized_username);
}References
|
rust/ql/test/query-tests/security/CWE-117/LogInjection.expected
Outdated
Show resolved
Hide resolved
Co-authored-by: geoffw0 <40627776+geoffw0@users.noreply.github.com>
|
DCA run LGTM. Ready for docs review. Note that this PR was generated by Copilot agent, under my supervision. I don't know if that changes anything, I am ultimately responsible for what gets merged. Ready for code review. I've already reviewed Copilots work, but I did make a few changes myself and in any case I need approval from another person. Questions and suggestions are also welcome of course. The query doesn't have any barriers at the moment, so that's a priority for follow-up work, but as a |
There was a problem hiding this comment.
Pull Request Overview
This PR implements a comprehensive CodeQL query for detecting log injection vulnerabilities in Rust code. Log injection occurs when user-controlled data is included in log output without proper sanitization, allowing malicious users to forge log entries by inserting newlines or other control characters.
Key changes:
- Implements core log injection detection infrastructure following existing patterns in the codebase
- Adds comprehensive test coverage with both vulnerable and safe code patterns
- Provides documentation and examples demonstrating the vulnerability and remediation
Reviewed Changes
Copilot reviewed 13 out of 14 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| LogInjectionExtensions.qll | Core detection logic with sources, sinks, and barriers for log injection vulnerabilities |
| LogInjection.ql | Main taint tracking query that identifies data flow from user input to logging functions |
| LogInjection.qhelp | Documentation explaining the vulnerability with Rust-specific examples and remediation |
| LogInjectionBad.rs / LogInjectionGood.rs | Example code demonstrating vulnerable and secure logging patterns |
| main.rs | Comprehensive test file with 20+ test cases covering various log injection scenarios |
| Stats.qll | Integration with existing threat model infrastructure |
| Query suite files | Integration with existing security query suites |
You can also share your feedback on Copilot code review for a chance to win a $100 gift card. Take the survey.
| * insertion of forged log entries by a malicious user. | ||
| * @kind path-problem | ||
| * @problem.severity error | ||
| * @security-severity 2.6 |
There was a problem hiding this comment.
The security severity should be 7.8 according to the PR description, not 2.6. This inconsistency could lead to incorrect risk assessment.
| * @security-severity 2.6 | |
| * @security-severity 7.8 |
Copilot uses AI. Check for mistakes.
There was a problem hiding this comment.
I generated it with the cwe-scores tool. I appreciate that the number differs from other versions of the query, I haven't looked into why but I'm guessing its because something the tool bases its score on has changed since they were created.
Co-authored-by: Sophie <29382425+sophietheking@users.noreply.github.com>
This PR implements a comprehensive CodeQL query for detecting log injection vulnerabilities in Rust code, following the patterns established by existing log injection queries for other languages.
Overview
Log injection occurs when user-controlled data is included in log output without proper sanitization, allowing malicious users to forge log entries. This is particularly dangerous when logs are processed by automated systems or displayed in web interfaces.
Implementation
The query follows the same architecture as the existing
rust/sql-injectionquery and includes:Core Components
ActiveThreatModelSourcefor sources and the existingsinkNode(this, "log-injection")infrastructureExamples
Test Coverage
Example Detection
If a malicious user provides
Guest\n[INFO] Admin logged in\nas input, the vulnerable code would create a forged log entry appearing to show an admin login.Query Details
rust/log-injectionThe implementation leverages existing logging sink models in
rust/ql/lib/codeql/rust/frameworks/log.model.ymlwhich already define appropriate sinks for thelogcrate and standard I/O functions.Fixes github/codeql-team#4178.
💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click here to start the survey.