Uploaded image for project: 'Sentry'
  1. Sentry
  2. SENTRY-2120

Escape input string for error response message in LogLevelServlet

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.0.0, 2.1.0
    • Fix Version/s: 2.1.0
    • Component/s: Sentry
    • Labels:
      None

      Description

      LogLevelServlet.java has the following code

        public void doGet(HttpServletRequest request, HttpServletResponse response)
                throws ServletException, IOException {
          String logName = getParameter(request, "log");
          String level = getParameter(request, "level");
          response.setContentType("text/html;charset=utf-8");
          response.setStatus(HttpServletResponse.SC_OK);
          PrintWriter out = response.getWriter();
      
          if (logName != null) {
            Logger logInstance = LogManager.getLogger(logName);
            if (level == null) {
              out.write(String.format(FORMS_GET,
                      escapeHtml(logName),
                      logInstance.getEffectiveLevel().toString()));
            } else if (isLogLevelValid(level)) {
              logInstance.setLevel(Level.toLevel(level));
              out.write(String.format(FORMS_SET,
                      escapeHtml(logName),
                      level,
                      level,
                      logInstance.getEffectiveLevel().toString()));
            } else {
              response.sendError(HttpServletResponse.SC_BAD_REQUEST, "Invalid log level: " + level);
              return;
            }
          }
          out.write(FORMS_END);
          out.close();
          response.flushBuffer();
        }
      

      As a result HTTP parameter is directly written to Servlet error page. Echoing this untrusted input to error message directly is a bad practice for security purpose. For best practice, we should escape the input string.

        Attachments

        1. SENTRY-2120.001.patch
          1 kB
          Na Li
        2. SENTRY-2120.001.patch
          1 kB
          Na Li

          Issue Links

            Activity

              People

              • Assignee:
                linaataustin Na Li
                Reporter:
                linaataustin Na Li
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: