Is Output Neutralization required when logging C# exception messages to log files?



  • CWE-117 is the common weakness enumeration for improper output neutralization in logs. My company uses VeraCode to scan for security weaknesses. Veracode indicated that this code had a output neutralization weakness:

    catch (Exception e)
    {
        _logger.ErrorFormat(_loggerFormat, "An error occurred (while doing something redacted)", e.Message.ToString());
        result = SomeEnum.Exception
    }
    

    _logger is an ILogger and uses log4net.

    I would argue that an Exception message is NOT untrusted data and therefore I don't have to neutralize it to remove carriage returns and line feeds. I'm not display a string of user input, I'm showing a message from a caught exception.

    What am I missing?



  • What am I missing?

    Maybe just the fact that static analysis tools can give a lot of false positives.

    At first glance, your reasoning sounds good to me--unless there is some way for the user to inject data into the generic Exception.Message.


Log in to reply
 

Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2